Interception of web content by AV software (was Re: VML Patch for Win9x?)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
PCR wrote:

Quoted text here. Click to load it

Dave?  Can you answer that one?

Quoted text here. Click to load it

No, no plot.

I submitted "testvml[1].htm" to virus total and only a handful of AV
software flagged it.  Symantec was one of them.

I went to a Win-98 system that I haven't patched with the new version
of VGX.dll and verified that it crashes when viewing the above URL.
The NAV-2002 on that system was last updates Aug 28, so no it didn't
flag anything.

I then updated NAV to Sept 27 or 28 then went to that URL again, and
again it crashes IE, but NAV catches and quarantines testvml[1].htm
while the crash message is still on the screen.

So basically NAV (2002 version) is not capable of intercepting bad WWW
content before IE handles it.  

Do we know if "modern" AV software intercepts and scans web content
BEFORE a browser sees it?  

Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
current AV software?

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)


| PCR wrote:
|
Quoted text here. Click to load it
|
| Dave?  Can you answer that one?


The System was unpatched.  Of course IE will crash.
Who siad this was a "virus".  It isn't it is exploit code and it was NOT
quarantined, the
software was set to rename not delete or quarantine.


|
Quoted text here. Click to load it
|
| No, no plot.
|
| I submitted "testvml[1].htm" to virus total and only a handful of AV
| software flagged it.  Symantec was one of them.
|
| I went to a Win-98 system that I haven't patched with the new version
| of VGX.dll and verified that it crashes when viewing the above URL.
| The NAV-2002 on that system was last updates Aug 28, so no it didn't
| flag anything.
|
| I then updated NAV to Sept 27 or 28 then went to that URL again, and
| again it crashes IE, but NAV catches and quarantines testvml[1].htm
| while the crash message is still on the screen.
|
| So basically NAV (2002 version) is not capable of intercepting bad WWW
| content before IE handles it.
|
| Do we know if "modern" AV software intercepts and scans web content
| BEFORE a browser sees it?
|
| Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
| current AV software?

How it is handles is dependant upon the settings of the AV software and the
signatures that
software uses.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

"David H. Lipman" wrote:

Quoted text here. Click to load it

In my case, NAV did quarantine the .htm file from IE's cache.  The
signatures are obviously not the issue here because the item was
detected.  

There is no setting on NAV 2002 along the lines of interception of web
content before being handed off to the browser (as opposed to pop-mail
handling which NAV and other AV software obviously can do).

Quoted text here. Click to load it

I take it that because you haven't directly answered that question,
that you are acknowledging that indeed there is AV software and there
are mechanisms whereby the scanning of web-browser content can and
does happen before being rendered or processed by the browser?

The crashing of an IE window while attempting to view the URL in
question SHOULD NOT HAPPEN if a system has AV software that is capable
of detecting (and quarantining) the specific threat.  

Detecting the threat inside a cached temporary file is too late if the
browser has already processed the code inside the file.

Many people are of the belief that their AV software will protect them
during web surfing.  Clearly that protection can't happen if there is
no mechanism of passing web code through the AV software first before
being seen by the browser.  Does any such mechanism exist for IE?  For
Firefox or Mozilla?

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)


| "David H. Lipman" wrote:
|
|>> Is this a quirk of Win-98/NAV-2002, or does this apply to XP
|>> and current AV software?
Quoted text here. Click to load it
|
| In my case, NAV did quarantine the .htm file from IE's cache.  The
| signatures are obviously not the issue here because the item was
| detected.
|
| There is no setting on NAV 2002 along the lines of interception of web
| content before being handed off to the browser (as opposed to pop-mail
| handling which NAV and other AV software obviously can do).
|
|>> Do we know if "modern" AV software intercepts and scans web
|>> content BEFORE a browser sees it?
|
| I take it that because you haven't directly answered that question,
| that you are acknowledging that indeed there is AV software and there
| are mechanisms whereby the scanning of web-browser content can and
| does happen before being rendered or processed by the browser?
|
| The crashing of an IE window while attempting to view the URL in
| question SHOULD NOT HAPPEN if a system has AV software that is capable
| of detecting (and quarantining) the specific threat.
|
| Detecting the threat inside a cached temporary file is too late if the
| browser has already processed the code inside the file.
|
| Many people are of the belief that their AV software will protect them
| during web surfing.  Clearly that protection can't happen if there is
| no mechanism of passing web code through the AV software first before
| being seen by the browser.  Does any such mechanism exist for IE?  For
| Firefox or Mozilla?

It doesn't matter if it is Web Content or any other disk file.  The scanning is
performed as
the file is written to the Browser cache.

No anti virus can intercept all communication between the PC and the Internet.
If you want
that to happen, setup a Proxy Server between your LAN and the Internet and
install anti
virus software on the Proxy Server.  There are Gateway/Proxy appliances on the
market for
this.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

"David H. Lipman" wrote:

Quoted text here. Click to load it

Ok, then WHICH AV software can intercept SOME of the communication
between the PC and the internet (or in this case, between a web server
and a browser) ????

If the answer is none, then what does that say about the entire AV
industry?  I'll tell you what it says.  It says that they've been
fostering the myth that they can make your web browsing more safe or
more secure, when they really can't, because their products are NOT
SITUATED in the right place (between the internet and the browser)
hence they are not in a good position to deflect a threat.  They can
tell you afterwards that something got in, but they can't stop your
browser from being infuenced by the threat first.

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)


| "David H. Lipman" wrote:
|
Quoted text here. Click to load it
|
| Ok, then WHICH AV software can intercept SOME of the communication
| between the PC and the internet (or in this case, between a web server
| and a browser) ????
|
| If the answer is none, then what does that say about the entire AV
| industry?  I'll tell you what it says.  It says that they've been
| fostering the myth that they can make your web browsing more safe or
| more secure, when they really can't, because their products are NOT
| SITUATED in the right place (between the internet and the browser)
| hence they are not in a good position to deflect a threat.  They can
| tell you afterwards that something got in, but they can't stop your
| browser from being infuenced by the threat first.

None at the PC level.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

98 Guy wrote:
Quoted text here. Click to load it

really more of an anti-malware than an anti-virus specifically, but -
socketshield...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

On Sun, 01 Oct 2006 16:25:53 GMT, "David H. Lipman"

Quoted text here. Click to load it


Isn't that exactly what a layered service provider does?


Jim.


Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)


| On Sun, 01 Oct 2006 16:25:53 GMT, "David H. Lipman"
|
Quoted text here. Click to load it
|
| Isn't that exactly what a layered service provider does?
|
| Jim.

No.  That acts between the protocol stack and the Windows Sockets (WINSOCK).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

On Mon, 2 Oct 2006 10:52:15 -0400, "David H. Lipman"

Quoted text here. Click to load it


It might act there but it still "intercept(s) all communication
between the PC and the Internet."


Jim.


Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)



Quoted text here. Click to load it
|
| It might act there but it still "intercept(s) all communication
| between the PC and the Internet."
|
| Jim.

What AV software do you know uses a LSP Plug-In James ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

On Mon, 2 Oct 2006 11:32:09 -0400, "David H. Lipman"

Quoted text here. Click to load it

From past threads in acv/acav, AVG email checking does. Don't know
about any others.


Jim.


Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)


Quoted text here. Click to load it
|
| From past threads in acv/acav, AVG email checking does. Don't know
| about any others.
|
| Jim.

Thank You.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David H. Lipman wrote:
Quoted text here. Click to load it

NOD32 does.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIVln7uRVdtPsXDkRArjrAJoDbKMqrnrRVxHpEespb9nUgHsZcACfWmub
d+uJ2iUfADlcanDlDo0oOCU=
=Aa5H
-----END PGP SIGNATURE-----

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)



Quoted text here. Click to load it
|
| NOD32 does.
|

Thanx Adam.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patchfor Win9x?)

Adam Piggott wrote:

Quoted text here. Click to load it

If NOD32 has this capability, and if few or no other AV software does,
then wouldn't this make NOD32 the hands-down winner of all of the
various "what's the best AV software?" threads?

(I usually don't follow those threads, hence my question)

Not even Kaspersky does this?

Re: Interception of web content by AV software (was Re: VML Patchfor Win9x?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

98 Guy wrote:
Quoted text here. Click to load it

A very wide question :-)

I haven't done a lot of recent testing on other programs, but my two cents
would be that I trust no other anti-virus product on the market to protect
my customers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIlby7uRVdtPsXDkRAg5ZAKCeLErvJ+l44FB8vzK8ZmOBkKCrAwCeL41A
QZadHDUW3AHAP2sKl4L1154=
=jnp/
-----END PGP SIGNATURE-----

Re: Interception of web content by AV software (was Re: VML Patchfor Win9x?)

Adam Piggott wrote:
Quoted text here. Click to load it

Are you saying that Kaspersky is the only anti-virus program that you
trust?  BTW, the nice thing about really learning your PC is then you
start to understand what is really going on and you do not need things
like pop up blockers and even anti virus programs are not usually
needed.  Anti-spyware programs are still nice since it is still so easy
to get spyware and other baddies out there.  The key questions users
must ask themselves especially on a clean machine is "What did I do to
cause myself to get this pop up or this piece of spyware.  For example,
did I browse to an unknown site, did I click on an unknown email
attachment, am I reading all emails in plain text and only enabling the
html of that email when I am fairly sure that it is safe, etc.  If the
user is careful then the user can learn lots of stuff and start figuring
out how to manually configure stuff through DOS or the Command Prompt in
XP Professional.
    The user can then continue to delve into the registry, always making
sure to have backups and start reading and learning about adding and
deleting keys.  The user can also start learning about the BIOS, how to
safely flash it for an upgrade, how to safely configure settings, etc.
I am now at the point where I really enjoy my computer and I take
passion in my job of fixing insecure computers at work as well as
teaching children who I feel help keep me young and it is exciting to
try and pass my values or at least encourage them in the direction of
positive values and know that you are making a small amount of
difference in this chaotic world.

--
Dan W.

Computer User

Re: Interception of web content by AV software (was Re: VML Patchfor Win9x?)

I think you misunderstood. I believe Adam is touting NOD32, not Kaspersky.

--

Gary S. Terhune
MS-MVP Shell/User

Quoted text here. Click to load it



Re: Interception of web content by AV software (was Re: VML Patchfor Win9x?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gary S. Terhune wrote:
Quoted text here. Click to load it

Oops, you're correct, thank you for clearing that up.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFImJq7uRVdtPsXDkRAof/AKCFjlzByF88gZopyfuqU7er4uHnZgCgir0W
5Rn6plhHsr+yJH0XpgLUmMI=
=6vld
-----END PGP SIGNATURE-----

Site Timeline