Web and HTTP Scanning

Web or HTTP scanners are getting popular and recently showed up in the new versions of AVG and Avira.

There have been threads on this topic before, but I believe it deserves revisiting.

The basic case for HTTP scanning is most malware is being delivered via browser exploits today. Browser exploits operate as the browser is parsing items being served by a remote web server prior to being written to the browser cache. That way malware may clobber the browser and do its damage prior to when the AV would normally get its first look at the file. Hopefully, the AV authors will manage to get the latest exploits into their signature databases before the browser authors are able to offer patches and thereby provide an extra measure of security.

Many unsupported opinions on the need for HTTP scanning have been offered, plus a more limited range of opinions from those who might know what they are talking about.

Various points raised include:

Slows down browsing too much, which is probably true on old computers.

Requires scanning everything twice because the browser changes the items it downloads prior to writing them to disk.

May conflict with other security software, but it seems the more security software you have the more conflicts you get.

Might be defeated by javascript obfuscation, and that no AV has the resources to really analyze the scripts. I am not sure what this means, but it seems that all malware these days is being constantly being changed to avoid detection.

Could be defeated by HTTPS.

Not needed with Firefox because most exploits have involved flaws in Windows components that FF does not use. I suspect this comment is dated.

Anyone? If all you have to say is its not needed and don't have a reason, you will look like a dummy to me.

 

I've always thought web scanning was primarily for protecting systems that weren't always patched.

• If you keep updated regularly, doesn't web scanning then only protect you from zero-day drive-by exploits? And then only for that period of time between when the exploit is used and when there is a fix for it?
  
• Can your AV catch the exploit with a signature or it's heuristics, because either way will probably buy you just a few days time before the vulnerability is patched.
  
• Are the resources you devote to http scanning worth it in protecting you from zero-day malware just during these short periods of time?
  
• Have you ever been infected due to a zero-day drive-by download?

I don't see a great need for it in my situation, but I wouldn't turn the feature off if it didn't slow down my browsing any (my experience is that it does).

 

From what I understand, HTTP scanning sits between the browser and the internet. The argument is that malware can use scripting/browser exploits to execute before it is written to cache. So if HTTP scanning didnt exist, these browser exploits will only be found by the on access scanner after it hits cache, which is too late.

 

This is how I understand it also. If the scanner catches something, at least in my experience it tells you what it's caught, like trojan.blahblah.exe, so, am I right in assuming if the scanner from a particular AV has a name for it, it's already in the AV signature database? I would think the only thing that would catch a truly 0-day exploit would be a HIPS program because of the activity that exploit is trying to start on the system.

It's my opinion that the scanner is there simply to catch things before they get into the browser's temp file or further, which means instead of having to clean up an infection from a relatively safer place (temp files which can be easily deleted), you end up not having to clean up anything. Maybe I'm thinking too simple, but that's how I understand them so far. In my humble opinion, I think it's pretty nice to not have to do ANY cleanup as opposed to having to clean something out from a "harmless" place.

I completely understand the argument of slowing down browsing. If you're on dialup or a slower dsl connection, yeah, I wouldn't want mine slowed down either. But on a fairly fast connection, how bad is the slowdown truly? I guess it also comes down to whether you want to trade some speed for even a little more security. No one is stupid or paranoid no matter if they're on the "I use it" or "I don't use it" side of the fence. It's extra ammo in the arsenal, if you have a lot of firepower already, maybe you don't need that extra bullet, if not, that one extra shot might make a difference.

 

Isn't real-time file scanning a different thing from web/http scanning?

 

Not that I'm aware of, because when my scanner has caught something on a webpage, it was during the loading of said page, so that's pretty real-time in my opinion.

 

Wouldn't that mean then that Avira didn't have real-time file scanning before they recently added http scanning?

 

I seem to have confused both of us, lol. Ok, without an Http scanner (and hopefully if I'm woefully wrong I will be quickly corrected), you would only find out that a file was infected AFTER it was downloaded or AFTER a malicious script was ran. In my own opinion, that's after the fact and therefore not real-time. WITH the scanner, it is scanning the page before you download anything or before a script is ran, and you are warned about it. That, again , in my opinion, is real-time.

Edit: Hmm, wrong spot to stick this in, but does Avira's scanner also work when using P2P as Avast's does?

 

I'm not faulting your use of the term "real-time", but I believe it is also used in a different sense here as well (i.e., on-demand vs. real-time scanning).

 

Well, lemme see here. Ok, real-time to me is "right now before it starts to happen". In that sense of the word, before you ever download that infected file and before it ever touches your disk, you are warned about it and can stop the process. That's what the scanner does or tries to do (they aren't foolproof). If by real-time you mean the infected file is someplace on the disk, whether just in a temp file or in an actual disk folder as a bona fide download, then yes, most AVs I know of will tell you the file is infected before you execute it provided said AV has the signature in its database.

Does that help at all?

 

Yes, that helps me understand how you're using the term "real-time". Thanks.

 

You are very welcome

 

I've been online for ohhh lets see about 15 or more years, and have never used a anti-virus that used http scanning. I've also had very few infections,so in my own person opinion,I can live without the http scanning thats become the "new" options for antivirus.


then again,I'm not as paranoid as many users are here

 

Congratulations.

Paranoid, or just extra careful?

 

Infections are out there. It's just a matter of time....when it's too late

 

All I can say about them is that I think they're useful but only so long as they don't impair performance too much. I have seen comments on browsing slowdowns from people with old as well as new hardware, so I think it's mostly a matter of how well-written the web scanner is. Some are good and fast, some aren't. The best ones I have seen are Avast's and Avira's. The worst I've seen is KAV's. Nod's was acceptable also.

 

Well, my experience has been that on relatively new hardware the delays of HTTP scanning are not noticeable. I am more interested in knowing if the concept really works.

At heart, I am a skeptic. You might also be interested to know that some malware is designed to crash the parsing routines of mail scanners used in corporate gateways. The idea being that HTTP scanning is a potential liability, or is it not?

 

Being a skeptic is perfectly fine, it keeps you from spending money/time/effort on something that may not be effective contrary to claims or it may be overkill. There are programs out there that claim one thing or another and happily take our money while not delivering the goods. As far as knowing if it truly works, well, unfortunately all you can do here is get yes or no answers from fellow members. The only way to truly know is to install it and A: surf around until you run across a website that has something malicious, or, if you are well protected from other programs, B: Install it and go to a website you know to be infected and see if it does what it claims to.

Otherwise, even if you read well respected websites on the matter, it's still yes and no answers from other people.

 

Both are real time.

File scanner scans on disc read/ write etc.

HTTP scanner scans before that. But both are real time.

 

Yes so as an example, goto the Eicar website http://www.eicar.org/anti_virus_test_file.htm

Click on the .com file in the http (not https) section. If a http scanner is active, it will catch it and tell you that there is a virus on the website and prevent the website from loading. If there is no http scanner, your av will catch it after it is written to cache and it will tell you where in cache it has found it.

 

Speaking about web and http scanning. Check this out.
http://news.zdnet.com/2424-1009_22-198647.html?tag=nl.e550


Cheers

 

Jas,

The question is whether HTTP scanning is more effective at finding these threats than traditional on access scanning. Does the threat cause the browser to do something it should not before traditional scanning can detect it?

What I have noticed is sometimes clicking on a "bad" link will start a process that produces a dialog "do you want to run XYZ.exe", but there is still the option of closing the browser and not running the program. A web scanner may in come circumstances detect the attack prior to the start of the download, but is that actually safer it there is adequate opportunity to prevent the trojan from running?

What I have noticed is the Avira scanner produces no noticeable delay on most web pages, and a slight delay on complex pages. If it messes with speed tests, I suppose it can be turned off for the test.

 

I would say yes I think so, to that.

You should try ESS and the one below as well then


Cheers