WSA subject to three new browser extension attacks

Discussion in 'Prevx Releases' started by fax, Apr 15, 2013.

Thread Status:
Not open for further replies.
  1. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Well, as usual you look the primary target of MRG testing and free of charge :D .

    Anyway, hopefully you will investigate this to be back on par with Trusteer that seems to always one step ahead for these types of attacks.

    Comparative Efficacy Assessment of Wontok SafeCentral
    http://www.mrg-effitas.com/current-tests/
     
  2. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    That report is from February 2013 and I'd like to think the three items undetected were now detected. Another point to bear in mind is we're at build .127 whereas they tested .109 so there must be improvements in between to mitigate against such "attacks".
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    The point is always the same. It would be desirable that Identity Shield is update to generically protect from these attacks as they are able to leak sensitive/financial information. This is why is important they are blocked on the spot rather than when is too late. :)

    WSA works a lot based on "let's see what X does then we block it and revert the changes". Then it's essential that the anti leak is always at the State-of-art and beyond.
     
  4. sturgess

    sturgess Registered Member

    Joined:
    Aug 24, 2011
    Posts:
    158
    Why not just include Trusteer Rapport as part of your security set-up, I have.
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Could be, but its likely to conflict with WSA as it operates very similarly. So you may end up having both not working correctly and bam... less security + infection. WSA staff should know if both can be run together.
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm not seeing any additional information on the report or what the threats actually are, but I've asked our research team for any additional information that we may have received from them. Reading between the lines, it sounds like they're using browser extensions, which would mean the user would have to have installed the supposedly malicious browser extensions, which is an area not used by malware and easily circumvented (using the safemode features of a browser, or just disabling the add on) but I'm just reading between the lines at this point.

    As for these being in the wild threats - we most definitely have not seen them, nor have we had to change the Identity Shield protection in quite some time as it has been blocking threats generically without a problem.

    And yes, SafeOnline wouldn't be blocking it, but SafeOnline autoupgrades to WSA so that portion of the test is irrelevant.
     
  7. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    yeah but I thought the selection to MAXIUM ID protection was to isolate the Add-ons (browser extensions) in the browser from collecting the data or interfering with the data? Otherwise what's the point? Also, what happens if the user doesn't know that what they downloaded is malware?! Since no one intentionally downloads malware adon's for personal use.
    What if let say Ad-Block Plus goes rogue because one dev got fired etc and starts collecting info? I know it's far fetched but it's the most installed Add-on so the best target.

    So is the choice in the picture just a feel good choice? Or how else does Webroot define Untrusted Browser add-ons and Media?
    Not to directly attack but come on, enough with excuses for every freaking test, there is a new excuse.
    http://i.imgur.com/pSzBhSU.png
     
    Last edited: Apr 17, 2013
  8. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372

    Why? Why would you? If you paid money to have supposedly the same protection in Webroot? Why would you feel the need to add another tool to use up resources and maybe interfere with the functionality of your current tool?
    One only does that because they know that they tool they use is inferior to what is out there for free. Then the question is: Why even pay for product if a free one is better?
     
  9. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Excellent point. You should rely wholly on Trusteer Rapport to protect you against malware. It's an excellent AV and will definitely do the job of ensuring you have a much lower chance of getting infected.
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    WSA does isolate data from untrusted browser extensions - we have yet to receive any information from MRG on these tests so I can't say what techniques these are using yet or if they can actually be used by real malware.

    If an extension goes rogue, it is trivial to remove them either automatically or through the browser itself. Or, you can have a banking shortcut which disables addons (-safe-mode in Firefox, for example) if you are truly concerned with it with no need for any security changes. This is the easiest and most secure way if you are concerned about this.
     
  11. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372

    I presume the post was made in sarcastic tone if not then please excuse me for the reply below.

    If it indeed was a jab of sarcasm at the fact that trusteer rapport is not an AV and Webroot is then yeap that's true, Truesteer Rapport is not an AV. However Webroot advertises itself as having the ability to do what Trusteer Report does (have an ID Theft Prevention for browsers).

    So If you are paying for a product that is offering a complete package then you are not just paying for an AV, you are also paying for the ID Theft Prevention portion of the product. As such, you should demand a product that is better than a free offering out there or am I being too demanding for my money? Sorry I have the Complete edition of the product and as such am expecting the Complete protection, otherwise I would have just paid for the AV.
    Its ok to be a fanboy and defend a product but sometimes you have to think what you are defending? You are paying for the betterment of a product over a free offering. So you vote with your wallet. Wouldn't you want your wallet vote to count? To better the product? To point out the mistakes and misconceptions? This is not Poliburo AntiVirus, misconception is unnecessary.


    Prevex Help:

    Thanks for the explanation, I am too eagerly awaiting results and the reasons behind the failure. All of these jabs are meant to better the product and not make it worse. Nothing gets better without criticism. Basically a mentality of war: Technological Evolution Through Conflict.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I also wonder, if Wontak & Trusteer are able to pass those tests, then why can't WSA be made to ?
     
  13. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Yes, it was sarcasm with a purpose.

    The AV alone has the ID protection. So if you pay for the AV alone, you can consider the ID protection portion of it to be "extra" that you are not paying for, thus you're once again comparing free part of something to other free.

    Complete includes Lastpass and Sync components, as well as cleanup.

    On the lines of why the others can do it and WSA doesn't... WSA also doesn't get in the way of nearly as much legitimate stuff in my experience. So it becomes a trade-off I suppose. Lighter, less-invasive, and better AV, but less protection against unexplained "failure" marks on a "test", or not as good at AV but better at not getting failure marks on an unexplained test.

    For all we know, the test could have involved marking the samples as "Allow" on the agent because the AV portion detected them as badware. "But we want to test it's ability to block things on the ID Shield! So we must tell the AV part to take it out of quarantine and allow it so the ID shield can try to block it instead." Needless to say, since the two communicate, that makes the threats trusted by the ID shield too, so the failure would occur due to human error. Just grasping at potentials here, but until we know what's up, nobody can really say.
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Based on the table in the test, it sounded like they were test tools rather than actual threats, which could be an explanation, but again, we'll know more once we get information about them.
     
  15. sturgess

    sturgess Registered Member

    Joined:
    Aug 24, 2011
    Posts:
    158
    Techfox1976 "Yes, it was sarcasm with a purpose"
    I thought so. It was also very long.
     
Thread Status:
Not open for further replies.