Test of web browser extensions XI 2018 (AVLab)

Discussion in 'other anti-virus software' started by ichito, Nov 30, 2018.

  1. adrian_sc

    adrian_sc Registered Member

    Joined:
    Jun 24, 2017
    Posts:
    27
    Location:
    Poland
    Hello everybody. There was an interesting discussion, so let me explain.

    First, how we collect the malware database?

    We use real Windows and Linux systems to collect information about attacks. These are URLs, IP addresses and downloaded files. There are many free honeypots on GitHub, e.g. Dionaea, Thug, Shiva, but also we use real SMTP traps (real e-mail addresses with VPN's root accesing to extract malicious attachments or domain from encrypted messages. We use Mailcow as a mail server: https://github.com/mailcow/mailcow). There are also some commercial ones like CAWS (from NSS Labs). We share with the malware samples after the test with the producers. Never before.

    But before we use a sample, it must be tested to be able to infect Windows 10. As you know, it is not always possible. Many factors influence this. It is very important for the producers to know that we are testing on actually malicious malware, not for an example, on a downloader that does not download anything.

    Second, how malware are copying to machines?
    Via real Chrome browser with parameter to URL with malware. Sometimes we use URLs, and sometimes we use own DNS server to create a different domains for downloading each malware sample. It depend on test. This time we know that some software like uBlock Origin is protecting users based on domain reputation (malicious or clean), so we had to download malware from malicious real URLs.

    Third, regarding with uBlock Origin
    Software was tested on default settings + enabled lists: Malvertising filter list by Disconnect, Malware Domain List, Malware domains, Spam404.

    If you have additional question, I will try to answer.
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,722
    Thanks for participating. Unfortunately, what you wrote here is not what the report on your website says. So it's still confusing for me.
     
  3. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    5,942
    You forgot to comment the rest...……
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,598
    Location:
    Canada
    in other words, from URL's not included in any of the enabled filter lists? Besides, uBlockO with Advanced dynamic filtering enabled is a far more powerful beast against malicious or compromised sites than if it's simply used in its default state as an ad and malware domain blocker. I, like some others in this thread, was confused as to why it was included especially in only its default state, in the tests.
     
  5. adrian_sc

    adrian_sc Registered Member

    Joined:
    Jun 24, 2017
    Posts:
    27
    Location:
    Poland
    I will think about it to describe the algorithm in a different words.

    I accept your arguments, but it seems to me that you have a grudge against uBlockO that software did not live up to the test. You should complain to publishers of malicious domains that they did not have up-to-date information about malicious domains in the wild. Or maybe these publishers changed something in the API parameters, so uBlockO can not get the current data? Or maybe developer of uBlockO should consider change suppliers of malicious websites? I do not know the answer to these questions. Tests showed that lists: Malvertising filter list by Disconnect, Malware Domain, Spam404 and Malware Domain List are weak to protect users.
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,598
    Location:
    Canada
    I assure you no grudge here. I don't rely that much on the malware filters anyway. It's the ad blocking and 3rd party frame blocking that matters most to me. There are other browser and system hardening mechanisms I harness as well. uBlockO is not a malware defense extension; it's a wide spectrum blocker against ads, malware domains and optional advanced dynamic features to block scripts and frames.
     
    Last edited: Dec 5, 2018
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    OK, so you didn't download malware from honeypots, but directly from malicious websites? Then I guess you're right.
     
  8. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    513
    Location:
    Hungary
    uBlock origin is primarily an adblocker, what are you guys arguing about, seriously.....
     
  9. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    5,942
    What is uBlock origin secondarily.
     
  10. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    846
    Location:
    Baden Germany
    @anon:
    I guess you already know the answer:
    A addon to reduce exposure to third parties
     
  11. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    513
    Location:
    Hungary
    whatever you choose to use it for, but dont expect it to exceed in its secondary porpuse you set it to be.
    adding static block lists doesn't make it a replacement for a web filter for malware/phising, that's what AVs and web filter browser extensions are for..
    it is pretty dumb to use ublock origin as your sole anti-malware/phising web security.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,403
    Location:
    Here
    Description on author's site:
    I'm also curious why it achieved 0/1870, even when malware lists were used. IMO it's just unlikely that this would happen with updated list.
     
  13. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    5,942
    I'm not asking, just I replied to mekelek question:

    "uBlock origin is primarily an adblocker, what are you guys arguing about,"
    ->
    "[They are arguing about] what is uBlock origin secondarily."
     
    Last edited: Dec 9, 2018
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,598
    Location:
    Canada
    I agree 100%
     
  15. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    200
    if their test cases included 0 sites on blocklists...then it would have shown 0%. not a hard thing to do considering the hundreds of thousands of compromised hosts active at any given point.
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,403
    Location:
    Here
    ATM there are 30.000 + entries in those 4 lists. Even with hundred of thousands compromised hosts I think it is unlikely that there was no blacklisted host included in test. Somebody with better knowledge of statistics could calculate likelihood of that happening. IMO it's small.
     
  17. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    513
    Location:
    Hungary
    i feel like people are arguing about why ublock isnt a good web anti-malware, which kinda implies that people think it's main porpuse is that.
    if i'm assuming it wrong, then dont mind me.
     
  18. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,403
    Location:
    Here
    IMO you're right and I also don't think that it's main purpose is that.
    But it was still tested together with dedicated anti-malware solutions. It seems like they were comparing oranges and apples.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.