Efficient WEB protection - which program?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I am looking for a porpgram that does real time browsing protection
very well. I don't necessarily need "comprehensive solution" that
covers everything and a kitchen sink - just browsing.

So far I tried, as recommended by friends, Kaspersky, AVAST and
AVIRA. None can truly handle a good but pretty straightforward
attack. Take, for example, this site (WARNING: clearly bad and
efficient malware!):

gradient-header.ru/gamma/index.php

All of the programs warn about the site containing malware, yet
before I could even do anything, the virus starts and opens all
kinds of stupid windows and none of the above programs is able
to effectively handle it once it gets going. (Other than pretending
to be a virus scanner, I am not sure what it does - I just shut off
Windows and restore disk image that I made before visiting
this "test" site - it does propagate quickly, making numerous copies).

If you know of a program that can 100% solidly detect and prevent
the execution of the malware from the above site, please indicate
what the program is. Freeware would be ideal but I am perfectly
willing to buy if it works well.

Thanks,

Dima
 
P.S. I got the address above from
http://www.malwaredomainlist.com/mdl.php
Great for testing purposes as it points to many different exploits.


Re: Efficient WEB protection - which program?

email.me:

Quoted text here. Click to load it
 
Since your posted URL sounds almost guaranteed to infect my computer, I
have decided against testing it. I do have daily disk images but I prefer
not to have to spend the half hour or so it takes to restore.

But if it's the run of the mill fake AV that wrecks your exe file
association and runs from a random three letter exe file, I'd put my
money on MalwareBytes (paid) to nail it before it would install.

--
   --- A dyslexic man walks into a bra ---

Re: Efficient WEB protection - which program?

Li'l Abner wrote:
Quoted text here. Click to load it

Redirected to obfuscated Javascript which leads to shellcode and
exploits for Java, Flash, and Adobe Reader - has that popular version
checking routine also. My guess is Blackhole again.

[...]

Re: Efficient WEB protection - which program?


Quoted text here. Click to load it

Yes.  It was a Blackhole Exploit Kit exploiting CVE-2010-0840 and there was no
virus.

Efficient ?
What a strange word to apply to both the malware and an application.

Malware being "effective" and anti malware "proficient" maybe more descriptive
terms.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Efficient WEB protection - which program?

David H. Lipman wrote:
Quoted text here. Click to load it
:)
Quoted text here. Click to load it
I am familiar with the usage of 'efficient' in the manner of the OP. I
think 'effective' is what is meant because the OP can have no idea of
the computing cost of producing those results.


Re: Efficient WEB protection - which program?


Quoted text here. Click to load it

I guess it depends on one's definition of "virus" but under my definition it was
definitely a virus: it created several instances of a file with names
[rubbish]exey,
each of which was trying to access Internet (firewall blocked them).

Dima

Re: Efficient WEB protection - which program?


|
Quoted text here. Click to load it
|
| I guess it depends on one's definition of "virus" but under my definition
it was
| definitely a virus: it created several instances of a file with names
[rubbish]exey,
| each of which was trying to access Internet (firewall blocked them).
|

It wasn't and your definition if faulty.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Efficient WEB protection - which program?

DK wrote:
Quoted text here. Click to load it
NoScript could help you to avoid the vector (it uses Javascript).

Re: Efficient WEB protection - which program?

"DK" wrote:

Quoted text here. Click to load it

Links to: lement-interval.in/main.php?page=56121227efa16f9a (only if
cookies are working) which is a bunch of exploits in javascript
(Blackhole exploit kit) for:

Java
MSXML2 ADO
Adobe PDF reader
MS Media Player
Adobe Flash

Quoted text here. Click to load it

Yes, a fake AV scan executable is downloaded and run. That means one
of the exploits worked, which means you don't have the latest patches
or updates for something in the above list.

Quoted text here. Click to load it

The best "program" is your own security configuration. Do not allow
the above listed ActiveX controls and plugins to automatically run in
a browser. If you have them at all they must be kept up to date. You
could also disable scripting and cookies. Whitelist those sites where
you want these otherwise disabled or prompted-for features to run.

Note: Javascript (or JScript if Microsoft) is normally built in to the
browser. Java is something completely different originally from Sun
Microsystems but now owned by Oracle. Javascript is very common in
legitimate web pages but Java nowhere near as much.



Re: Efficient WEB protection - which program?


Quoted text here. Click to load it

Okay, so I will have to go through all of the updates. Fine. But that
will only solve the problem until the next exploit in the next program.
And constant updates of every program on the computer eventually
bring about tons incompatibilitioes/bugs that are very hard to diagnoze.

So the real question is how come three leading software solutions,
all with "webguard" equivalents turned on, fail to intercept such
an attack??? And, going back to my original question, what software
succeeds in doing so?

Mentioned so far are Malwarebytes and NoScript. I used to have
NS installed but found it cumbersome to manage. I will try it again.
Question: will a very long white list in NoScript slow down browsing
considerably? It's going to be very long because just about every
site out there is using all these scripts for all kinds of reasons.

Dima

Re: Efficient WEB protection - which program?


|
Quoted text here. Click to load it
|
| Okay, so I will have to go through all of the updates. Fine. But that
| will only solve the problem until the next exploit in the next program.
| And constant updates of every program on the computer eventually
| bring about tons incompatibilitioes/bugs that are very hard to diagnoze.
|
| So the real question is how come three leading software solutions,
| all with "webguard" equivalents turned on, fail to intercept such
| an attack??? And, going back to my original question, what software
| succeeds in doing so?
|
| Mentioned so far are Malwarebytes and NoScript. I used to have
| NS installed but found it cumbersome to manage. I will try it again.
| Question: will a very long white list in NoScript slow down browsing
| considerably? It's going to be very long because just about every
| site out there is using all these scripts for all kinds of reasons.
|
| Dima

Malwarebytes (MBAM) does not do what you want.  It only does IP blocking and
doesn't even target Exploit Code.

Exploitation mitigation through software updates and patches is your best
bet against exploitation ingress of malicious code.

You can not rely on software to protect you through some kind of "webgaurd".
You are your best defense.  You have to practice Safe Hex and not click on
every link you are presented or find.  Maintaining the OS and software
sub-systems is no different than to lubricratinge ball joints, changing the
filters and other routines performed on an automaobile.

Secunia offers a personal Information Assurance scanner to check for
vulnerabilities.  Use it and find what sub-systems are vulnerable on your
computer.

http://secunia.com/software_inspector


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Efficient WEB protection - which program?

Quoted text here. Click to load it

I would have though that if they actually worked as advertised then why
not? Definitely a better first line defence than worrying about every program
on the computer.  (These days it's almost impossible to find a program
that would not want to access Internet). Well, it's NoScript  for me for now.

Quoted text here. Click to load it

Thanks! I knew I saw this page but couldn't remember it.

On a completely unrelated note, David:

Is it possible to get rid of the hard-coded C:\AV-CLS path
in multi_AV? Would it still work if I just search and replace
the string with my own path in every *.bat and *.kix file?

Dima

Re: Efficient WEB protection - which program?


Lipman"
Quoted text here. Click to load it
|
| I would have though that if they actually worked as advertised then why
| not? Definitely a better first line defence than worrying about every
program
| on the computer.  (These days it's almost impossible to find a program
| that would not want to access Internet). Well, it's NoScript  for me for
now.
|
Quoted text here. Click to load it
|
| Thanks! I knew I saw this page but couldn't remember it.
|
| On a completely unrelated note, David:
|
| Is it possible to get rid of the hard-coded C:\AV-CLS path
| in multi_AV? Would it still work if I just search and replace
| the string with my own path in every *.bat and *.kix file?
|

No, sorry.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Efficient WEB protection - which program?


Quoted text here. Click to load it

I am the one that mentioned MBAM. I run it and besides the occassional
"IP Blocked" notice I see a mid-screen popup that states that something
is trying to install or run and then gives you the option of quarantining
it or to turn off blocking. I cannot remember the exact wording. In the
one or two instances it happened to me I picked quarantine. One of my
customers related getting that same popup only he picked the other option
rather than quarantine. The fake AV installed itself at that point. So
MBAM does *something* besides block IP addresses. I will have to study up
on it some more because I have talked a lot of my customers into buying
the paid version for just that purpose.

--
   --- A dyslexic man walks into a bra ---

Re: Efficient WEB protection - which program?



Quoted text here. Click to load it
|
| I am the one that mentioned MBAM. I run it and besides the occassional
| "IP Blocked" notice I see a mid-screen popup that states that something
| is trying to install or run and then gives you the option of quarantining
| it or to turn off blocking. I cannot remember the exact wording. In the
| one or two instances it happened to me I picked quarantine. One of my
| customers related getting that same popup only he picked the other option
| rather than quarantine. The fake AV installed itself at that point. So
| MBAM does *something* besides block IP addresses. I will have to study up
| on it some more because I have talked a lot of my customers into buying
| the paid version for just that purpose.
|

The best way to describe it is to state what is scanned and targeted. MBAM
specifically targets executable types of binaries which start with 'MZ' as
the first two characters in the binary which could be; EXE, DLL, SYS and CPL
files but can be renamed to any file extension or executable file extension
like; LNK, BAT, CMD and PIF. Often we find malicious binaries posted on
photo or other web sites that have been renamed from EXE to JPG, PNG or GIF
to obfuscate the malicious intent of the file.

This means that MBAM will not scan data files such as; SWF, DOC, PPT, XLS,
PDF, CLASS, etc. or script files such as; HTML, JS, PHP, BAT, CMD, etc.

The fully installed anti virus application that is installed on one's
computer that performs both "On Access" and "On Demand" scanning will scan
those files types. That is one of the two main reasons why MBAM supplements
anti virus software and does not replace anti virus software. The second is
MBAM doesn't specifically "target" viruses because MBAM can't "clean" the
malicious code from an infected file where code has been; prepended,
appended or cavity injected. For that matter MBAM can't "clean" a trojanized
file either. At best MBAM will delete these files. To my knowledge, with the
present version MBAM can't detect or clean MBR code either.

However, I don't have intimate knowledge on the IP protection of the full
and paid-for Professional version.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Efficient WEB protection - which program?


Quoted text here. Click to load it

Thanks, Dave. I appreciate that you will take the time to explain this
kind of thing in a simple enough way that I can understand it. After
following your conversations with some of the other geeks about the
really *deep* stuff, I feel honored you'll take the time to help me out!

--
   --- A dyslexic man walks into a bra ---

Re: Efficient WEB protection - which program?


Quoted text here. Click to load it

All correct.
 
Quoted text here. Click to load it

I do.. It's just a blocking program. Peerblock is actually more
advanced...


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: Efficient WEB protection - which program?

DK wrote:

Quoted text here. Click to load it

You may also want to use another DNS server that offers some extra
protection.  http://www.opendns.com /


Site Timeline