Interception of web content by AV software (was Re: VML Patch for Win9x?) - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Interception of web content by AV software (was Re: VML Patchfor Win9x?)

Adam Piggott wrote:
Quoted text here. Click to load it

Thanks Gary and Adam.  BTW, Adam why does your messages include all the
extra stuff?

--
Dan W.

Computer User

Re: Interception of web content by AV software (was Re: VML Patchfor Win9x?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan W. wrote:
Quoted text here. Click to load it


The extra stuff is a digital signature, so that anyone using an
OpenPGP-compliant email program[1] can verify that I was the poster and
that the message hasn't been tampered with since sending.

I do this as I post on behalf of my business and consider it good practise
to do so. And to pre-empt anyone who is tempted, I've discussed why some
consider it pointless or wasteful to do so, and won't do so further :-)

[1]I use Thunderbird with the Enigmail plug-in and GnuPG.


Cheers,

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk /

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFImtx7uRVdtPsXDkRAi2iAJ0SVfxoPvrz5Mi05m7Aev9aU6oK3wCglIz+
7G/KYeLX+ctbbn3CHgmUSA4=
=+ht1
-----END PGP SIGNATURE-----

Re: Interception of web content by AV software (was Re: VML PatchforWin9x?)

Adam Piggott wrote:

Quoted text here. Click to load it

Do you think the PGP signature accomplishes anything for your usenet
posts other than cluttering up the post?

Re: Interception of web content by AV software (was Re: VML PatchforWin9x?)


Quoted text here. Click to load it

I can remember someone giving Laura some flak a while back until he
checked that it wasn't an authentic post. That was closely followed by
an apology. It can be useful on rare occasions but most people
couldn't be bothered.


Jim.


Re: Interception of web content by AV software (was Re: VML PatchforWin9x?)

James Egan wrote:
 
Quoted text here. Click to load it

Even in that case, the headers would be easier to consult to determine
if a forging took place.

And it's still clutter.

Re: Interception of web content by AV software (was Re: VML Patchfor Win9x?)

Adam Piggott wrote:
Quoted text here. Click to load it

Thanks for the detailed explanation.  I really appreciate it.

--
Dan W.

Computer User

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

On Sun, 01 Oct 2006 16:25:53 GMT, "David H. Lipman"

Quoted text here. Click to load it

That's as I understand it; av will scan files as they are created as
files, or as they are "opened".

So material that never exists as a file (such as emaul attackments
that vanish into mailboxes that hide them thereafter, or entities that
exist purely as in-memory processes, e.g. many pure network worms)
would be missed.  

Attachments will be scanned each time they are created on the fly when
"opened" from the email app, whereas pure network worms may be scanned
only if they try to persist across OS runtimes via the integration of
files dropped on the system.

Firewall and patching are the primary defenses against pure network
worms, whereas choosing an email app that does not hide incoming
attachments is the best approach to emaul attackments.  See...

http://cquirke.mvos.org/9x/empath.htm

Then again, web content is a 1-generation spreading mechanism that can
be updated on the server in real time - and thus may always be "too
new" for an av to detect on a signature basis.  



Quoted text here. Click to load it
  Drugs are usually safe.  Inject? (Y/n)
Quoted text here. Click to load it

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

cquirke (MVP Windows shell/user) wrote:
Quoted text here. Click to load it

Chris, I just tried your page and it did not connect but the rest of the
Internet is working.  Is the page okay?

--
Dan W.

Computer User

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

You are right. Only his page on the whole NET does not work...!...
The following Website was not found: cquirke.mvos.org


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
pcrrcp@netzero.net
| cquirke (MVP Windows shell/user) wrote:
| > On Sun, 01 Oct 2006 16:25:53 GMT, "David H. Lipman"
| >
| >> It doesn't matter if it is Web Content or any other disk file.  The
scanning is
| >> performed as the file is written to the Browser cache.
| >
| > That's as I understand it; av will scan files as they are created as
| > files, or as they are "opened".
| >
| > So material that never exists as a file (such as emaul attackments
| > that vanish into mailboxes that hide them thereafter, or entities
that
| > exist purely as in-memory processes, e.g. many pure network worms)
| > would be missed.
| >
| > Attachments will be scanned each time they are created on the fly
when
| > "opened" from the email app, whereas pure network worms may be
scanned
| > only if they try to persist across OS runtimes via the integration
of
| > files dropped on the system.
| >
| > Firewall and patching are the primary defenses against pure network
| > worms, whereas choosing an email app that does not hide incoming
| > attachments is the best approach to emaul attackments.  See...
| >
| > http://cquirke.mvos.org/9x/empath.htm
| >
| > Then again, web content is a 1-generation spreading mechanism that
can
| > be updated on the server in real time - and thus may always be "too
| > new" for an av to detect on a signature basis.
| >
| >
| >
| >> ------------ ----- --- -- - -  -    -
| >   Drugs are usually safe.  Inject? (Y/n)
| >> ------------ ----- --- -- - -  -    -
|
| Chris, I just tried your page and it did not connect but the rest of
the
| Internet is working.  Is the page okay?
|
| --
| Dan W.
|
| Computer User



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)


| You are right. Only his page on the whole NET does not work...!...
| The following Website was not found: cquirke.mvos.org
|

Syntax !

http://cquirke.mvps.org/9x/empath.htm

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

Chris had a typo in that link. Should be MVPS, not MVOS.
http://cquirke.mvps.org

--

Gary S. Terhune
MS-MVP Shell/User
http://grystmill.com/articles/cleanboot.htm
http://grystmill.com/articles/security.htm

Quoted text here. Click to load it



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

I see. And thanks, Lipman, too. He ran out of "P", then. OK, thanks.
Lucky you had one to spare!


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
pcrrcp@netzero.net
| Chris had a typo in that link. Should be MVPS, not MVOS.
| http://cquirke.mvps.org
|
| --
|
| Gary S. Terhune
| MS-MVP Shell/User
| http://grystmill.com/articles/cleanboot.htm
| http://grystmill.com/articles/security.htm
|
| > You are right. Only his page on the whole NET does not work...!...
| > The following Website was not found: cquirke.mvos.org
| >
| >
| > --
| > Thanks or Good Luck,
| > There may be humor in this post, and,
| > Naturally, you will not sue,
| > should things get worse after this,
| > PCR
| > pcrrcp@netzero.net
| > | cquirke (MVP Windows shell/user) wrote:
| > | > On Sun, 01 Oct 2006 16:25:53 GMT, "David H. Lipman"
| > | >
| > | >> It doesn't matter if it is Web Content or any other disk file.
The
| > scanning is
| > | >> performed as the file is written to the Browser cache.
| > | >
| > | > That's as I understand it; av will scan files as they are
created as
| > | > files, or as they are "opened".
| > | >
| > | > So material that never exists as a file (such as emaul
attackments
| > | > that vanish into mailboxes that hide them thereafter, or
entities
| > that
| > | > exist purely as in-memory processes, e.g. many pure network
worms)
| > | > would be missed.
| > | >
| > | > Attachments will be scanned each time they are created on the
fly
| > when
| > | > "opened" from the email app, whereas pure network worms may be
| > scanned
| > | > only if they try to persist across OS runtimes via the
integration
| > of
| > | > files dropped on the system.
| > | >
| > | > Firewall and patching are the primary defenses against pure
network
| > | > worms, whereas choosing an email app that does not hide incoming
| > | > attachments is the best approach to emaul attackments.  See...
| > | >
| > | > http://cquirke.mvos.org/9x/empath.htm
| > | >
| > | > Then again, web content is a 1-generation spreading mechanism
that
| > can
| > | > be updated on the server in real time - and thus may always be
"too
| > | > new" for an av to detect on a signature basis.
| > | >
| > | >
| > | >
| > | >> ------------ ----- --- -- - -  -    -
| > | >   Drugs are usually safe.  Inject? (Y/n)
| > | >> ------------ ----- --- -- - -  -    -
| > |
| > | Chris, I just tried your page and it did not connect but the rest
of
| > the
| > | Internet is working.  Is the page okay?
| > |
| > | --
| > | Dan W.
| > |
| > | Computer User
| >
| >
|
|



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)


| I see. And thanks, Lipman, too. He ran out of "P", then. OK, thanks.
| Lucky you had one to spare!
|

When I run out of "P:" I drink beer.  :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

Uhuh. Brian A. must have gotten to the MVP fridge first, though, I
think!


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
pcrrcp@netzero.net
|
| | I see. And thanks, Lipman, too. He ran out of "P", then. OK, thanks.
| | Lucky you had one to spare!
| |
|
| When I run out of "P:" I drink beer.  :-)
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|
|



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

Quoted text here. Click to load it



User failure on my part - the domain is mvps.org, not mvos.org  :-)



Quoted text here. Click to load it
  Drugs are usually safe.  Inject? (Y/n)
Quoted text here. Click to load it

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

98 Guy wrote:
Quoted text here. Click to load it

I believe this is true.


Quoted text here. Click to load it

NOD32 certainly does. HTML/Exploit.VMLFill (3) added 23rd September,
http://www.eset.com/support/updates1.php?pageno=6


Quoted text here. Click to load it

It's a failing of NAV 2002. I can't comment on later versions as I don't
use it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFH+XS7uRVdtPsXDkRAtqdAKCXlkK4c9q+SiwClMlXABBZAZG0AgCfb50G
GDyLPuwxMfe6KQy6g8Y7BXg=
=PJ+b
-----END PGP SIGNATURE-----

Re: Interception of web content by AV software (was Re: VML Patchfor Win9x?)

Adam Piggott wrote:

Quoted text here. Click to load it


You are confusing the simple detection of that exploit when
encountered in, say, a cached file, vs the REAL TIME detection of the
exploit code as it comes off the internet and into the browser.
 
Quoted text here. Click to load it

I contend that you are not understanding the question.

Re: Interception of web content by AV software (was Re: VML Patchfor Win9x?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

98 Guy wrote:
Quoted text here. Click to load it

No I am not. NOD32 intercepts web content as it is being downloaded from a
server and before it is sent to the client. Either it replaces the content
with a custom warning or terminates the connection and opens a warning window.

After asking a question, it's rude to then accuse a replyee of not knowing
what they are talking about before finding facts to back up your rebuke. It
also makes you look rather silly.

Quoted text here. Click to load it

That's nice.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIMjR7uRVdtPsXDkRAlCHAJ9XNgvbiqG5i6BC96eVdF2wDm0z/QCggjl9
90uhUZ/YJwVlJBieuM2utDM=
=Fu4v
-----END PGP SIGNATURE-----

Re: Interception of web content by AV software (was Re: VML PatchforWin9x?)

Adam Piggott wrote:

Quoted text here. Click to load it

According to Dave Lipman, there is no AV software that sits in a
position to intercept network traffic and prevent the browser from
seeing malware.  Have you been reading Dave's posts on this?

Somebody needs to explain something here...

Re: Interception of web content by AV software (was Re: VML PatchforWin9x?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

98 Guy wrote:
Quoted text here. Click to load it

I have seen his posts. Did you see my posts where I stated specifically
that NOD32 does prevent a browser from downloading malicious content?


Quoted text here. Click to load it

http://www.proactiveservices.co.uk/research/nod32_imon1.png
...and then...
http://www.proactiveservices.co.uk/research/nod32_imon2.png

How's that! :-)

Any anti-virus that cannot protect an Internet program from downloading
malicious content should really look at the changing landscape of malware
infection. Malware doesn't just arrive by email any more.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIR7F7uRVdtPsXDkRAlCiAJ9GkFiKn71OV/03Jdsiy9b4pkndgACgj/Fo
d2cipnI+qk8Z5kG3My1wves=
=jRhf
-----END PGP SIGNATURE-----

Site Timeline