Is there a way to test Webshield

[RejZoR]

Web Shield checks all HTTP traffic including archived files (most common web infectors are JAR archives with payload). This is very useful for content that is not cached,but rendered directly. Standard On-Access providers of many antiviruses simply don't scan archives because they make way too high overhead. Web Shield avoids this issue and scans only the most important data that is transmitted from the web.
Such files are those JAR (JS) that i mentioned before and JPEG exploited images.

The main difference between Web Shield and Standard Shield is this:

Standard Shield example
Web -> Browser -> Standard Shield
(data is scanned when it's already passed through browser)

Standard Shield example
Web -> Web Shield -> Browser -> Standard Shield

Now do you see the differene? All data is fist checked and then passed to Browser,and if the data is cached it can be also checked by Standard Shield.
So there is much smaller chance of getting infected by some exploit if the data is scanned before it actually hits the browser itself.

[DavidR]

The idea of the web shield is to scan the http stream, to detect any possible virus infection before it has time to get established on the HDD.

Rather than wait until it has downloaded and placed itself in one of the windows system folders, created a registry entry, etc. etc. This is mainly due to people browsing the web with administrator privileges which allows the virus the same priviliges.

Prevention has got to be beter than cure.

When you attempt to download the eicar.com test file it should be picked up by the web shield and it offers the option to abort the connection (just that item being downloaded, not the dial-up or broadband connection). Doing that stops it in its tracks, it doesn't get on your HDD, so there is a way to test web shield by clicking on the link that Technical gave you.

[FreewheelinFrank]

I can confirm the two previous posts: before Webshield I used to get a lot of exploits and Trojans in my Java cache. AVG used to detect them during a system scan, and avast! 4.5 would sometimes detect them when they had passed through the browser and into the Java cache on the hard disk.

Now with avast! 4.6 and webshield, this malware is intercepted before it has a chance to get on my hard disk. (As a previous post said, before it even reaches the browser).

All this malware was not dangerous anyway, because it was designed to attack the Microsoft Virtual Machine, and doesn't affect the Java Run Time environment. But I think this is a valid real-world test of Webshield: it blocked malware which could have installed a Trojan on a system with an old version of IE vulnerable to this exploit.

Of course the real test of Webshield will be when a new browser or browser plug-in security vulnerability gives rise to a new malware attack: if the Webshield definitions are updated quickly enough and it manages to block the new malware before security updates have been issed, that'll be a real success.

[FreewheelinFrank]

Will Webshield block the Java applet Trojan currently targeting alternative browsers?

That would be an interesting test. (The Trojan relies on users clicking 'yes' to a Java applet despite security warnings.)

http://www.edbott.com/weblog/archives/000562.html
http://www.f-secure.com/v-descs/openstream_t.shtml

[Lisandro]

Of course the real test of Webshield will be when a new browser or browser plug-in security vulnerability gives rise to a new malware attack: if the Webshield definitions are updated quickly enough and it manages to block the new malware before security updates have been issed, that'll be a real success.

Could WebShield be based on Heuristics and not only on signatures?

[Culpeper]

Will Webshield block the Java applet Trojan currently targeting alternative browsers?

That would be an interesting test. (The Trojan relies on users clicking 'yes' to a Java applet despite security warnings.)

http://www.edbott.com/weblog/archives/000562.html
http://www.f-secure.com/v-descs/openstream_t.shtml

This is exactly what I am talking about.  Thanks!

[lee16]

Will Webshield block the Java applet Trojan currently targeting alternative browsers?

That spyware/Trojan is targeting all browsers 

Could WebShield be based on Heuristics and not only on signatures?

i doubt this, as Malware can be tweaked to bypass Heuristics quite easily if i understand right.

Most likely it is based on definition files and generic files.

--lee

[RejZoR]

If heuristics can be bypassed so easily,then why NOD32,ArcaVir,BitDefender and some others can detect majority of stuff with it? Including new worms?

[lee16]

If heuristics can be bypassed so easily,then why NOD32,ArcaVir,BitDefender and some others can detect majority of stuff with it? Including new worms?

Because they wern't tweaked for them specificly, if a hacker or virus/malware maker anted he could tweak it for one or more scanners.

Anyway, i was just rewording what Vlk said:

On a side note, heuristic detection has one major flaw that is often overlooked. That is, every virus writer in the world can download the scanner and fine-tune the virus so that it goes undetected. And it's often pretty simple to do so -- tweaking a couple of instructions and here we go! Therefore, I'm personally not a big believer in heuristic detection - it's just too fragile (in this sense, being a relatively small vendor actually helps - virus writers may test their code with most common scanners but fail to test them with the rest).

Source: Reply 9 here: http://forum.avast.com/index.php?topic=4979.0

--lee

[FreewheelinFrank]

"That spyware/Trojan is targeting all browsers"

Yes, indeed it is, but using different methods. The Java applet Trojan installer targets alternative browsers. IE is targeted by a ActiveX Trojan installer. A script on the website decides which method to user according to which browser you're using.

There's a very interesting discussion here:

http://www.edbott.com/weblog/archives/000562.html

Edit: Point taken. Targeting alternative browsers in the sense that it attempting to install itself on these browsers as well as IE.

I wondered if Webshield would protect against this spyware particularly because I use Firefox. With IE I have many layers of protection against ActiveX installations of spyware (Spyware blaster, IE-spyad, Spybot S & D immunization).

It would be good to know that Webshield gives another layer of protection to Firefox users...

(Above not being dumb enough to click yes to such a dodgy security pop-up, of course!)

[Culpeper]

Web Shield checks all HTTP traffic including archived files (most common web infectors are JAR archives with payload). This is very useful for content that is not cached,but rendered directly. Standard On-Access providers of many antiviruses simply don't scan archives because they make way too high overhead. Web Shield avoids this issue and scans only the most important data that is transmitted from the web.
Such files are those JAR (JS) that i mentioned before and JPEG exploited images.

The main difference between Web Shield and Standard Shield is this:

Standard Shield example
Web -> Browser -> Standard Shield
(data is scanned when it's already passed through browser)

Standard Shield example
Web -> Web Shield -> Browser -> Standard Shield

Now do you see the differene? All data is fist checked and then passed to Browser,and if the data is cached it can be also checked by Standard Shield.
So there is much smaller chance of getting infected by some exploit if the data is scanned before it actually hits the browser itself.

Okay, I see.  It's not duplicated protection but redundant protection by adding the webshield.  That's good thing.  Thanks!

I'm wondering if that browser security test link on your security site will sound off webshield on different browsers?

[DavidR]

Well it works (web shield warning) for me using firefox, avant and IE6 SP2

[Culpeper]

Just out of curosity, what action does the webshield take when it sounds off on, for example, the eicar test file?

[Lisandro]

Just out of curosity, what action does the webshield take when it sounds off on, for example, the eicar test file?

Do you mean if an eicar virus test is detected?
For me, a popup message at the bottom of the screen. I suppose that I choose Silent Mode 

[Culpeper]

Does it block the file and no further action is needed in case the real thing ever happens?