Author Topic: AV in your Browser  (Read 12317 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: AV in your Browser
« Reply #15 on: August 05, 2005, 09:43:42 PM »
But there is a probably security risk in avast!
I try to download there the file via SSL secure connection and avast don´t show the risk, no attention ... nothing. I save it.
Only when I (for example a zip file) open it and open the file in it oder save it, there was a message from avast.
It's not a bug, it's normal and perfect.
If avast! can scan a SSL connection, i.e., break the encryption, so all other guys in Internet could break your connection to your bank and stole your passwords, etc. SSL connections are made to be private, unscanable...  8)

And a other problem:
Try to download the .txt file via SSL https connection and save it. Nothing. Than try to open it with a double click (= editor). Nothing! First a attention message pops up when I try to rename it from .com.txt to .com. That´t not really bad because a file in a archiv or as a text file is not really a risc.
You must read about eicar.com and it's behavior... Seems perfectly normal what is happening in your computer.

But what is with this double-extensions as attachments on emails?
Something like
filename.exe.doc or filename.vbs.txt

What is with this risc?
Being infected by the real .exe or .vbs file, for instance.

In this combination a other question: It there any virus/worm/trojan (or whatever) known which can kill the avast process so that nothing will be scanned and the virus can spreading in the system!?
Sure there is. Just search the board. You'll see that is almost possible to do anything when you're the administrator in a computer.
The best things in life are free.

Thrash

  • Guest
Re: AV in your Browser
« Reply #16 on: August 05, 2005, 11:08:49 PM »
Hmm ok ...

I must admit that I have nothing to say ... ;)

With this SSL Connection you are surely right!
That´s was also where I´m thinking for and that avast can´t scan the webstream itself is right, too ... otherwise it would be a security risc, but I thought avast can scan it, because the ssl stream ends on my computer (not elswhere in the net) and so here it is still decrypted.
But than avast (I think) have to be a art of plugin in the webbrowser to scan it, after the browser decryted it and before it load it ... right? And thats a little bit difficult I think!?


Quote
You must read about eicar.com and it's behavior... Seems perfectly normal what is happening in your computer.
ok ... ! :D
Than i will be quite!

My interest is still satisfied for today ... :)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: AV in your Browser
« Reply #17 on: August 05, 2005, 11:30:11 PM »
That´s was also where I´m thinking for and that avast can´t scan the webstream itself is right, too ... otherwise it would be a security risc, but I thought avast can scan it, because the ssl stream ends on my computer (not elswhere in the net) and so here it is still decrypted.
But than avast (I think) have to be a art of plugin in the webbrowser to scan it, after the browser decryted it and before it load it ... right? And thats a little bit difficult I think!?
I think (maybe I'm wrong) that will be impossible.

Web > Web Shield > Browser > Standard Shield
All data is first checked and then passed to the browser, and if the data is cached it can be also checked by Standard Shield.
So there is much smaller chance of getting infected by some exploit if the data is scanned before it actually hits the browser itself. In other words, the idea of the web shield is to scan the http stream, to detect any possible virus infection before it has time to get established on the local disk.
The plugin will work as the Standard Shield... just after the file is saved...

Than i will be quite!
Sorry, it was not my intention to be rude.
The best things in life are free.

inconnu

  • Guest
Re: AV in your Browser
« Reply #18 on: August 06, 2005, 10:01:43 AM »
Actually, it is possible for a local proxy to filter https/ssl.

Those familiar with the Proxomitron will know what I mean.  This page has some information on implementation.

Needless to say, I can't conjecture on exactly how this could be implemented in avast.  However, inasmuch as, from my understanding, avast is here functioning as a local proxy, it seems possible.

The acceptance of certificates is undertaken by the proxy (in our hypothetical case, by avast), and the certificate sent to the browser, using the model in the link, would belong to avast.

I don't see any real security issues involved in such a setup, provided it is implemented correctly.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: AV in your Browser
« Reply #19 on: August 06, 2005, 01:50:34 PM »
Actually, it is possible for a local proxy to filter https/ssl. Those familiar with the Proxomitron will know what I mean.  This page has some information on implementation.
Maybe I'm wrong, as I'm not an expert on it. But, I think one thing is redirecting https/ssl traffic and other, completely different, is scanning this traffic, reading the 'code', the informations passing through. Proxomitron (and any other annonimizer application) and other proxy filters just redirect the traffic but does not analyse it.
The best things in life are free.

inconnu

  • Guest
Re: AV in your Browser
« Reply #20 on: August 06, 2005, 02:48:46 PM »
I'm hardly an expert, either.  ;)

However, I know Proxomitron is able to do filtering (changing/inserting/deleting) of ssl html, js etc.

For example, I have a filter set up for bugzilla (sample bug) which inserts a call for a local stylesheet, to tweak the appearance and (imo) make it easier to read.

Proxomitron has a number of functions, including essentially re-writing webpages before presenting them to the browser.  This can involve both security/privacy issues (eliminating webbugs,  exploits, etc) and "eye-candy"/usability issues, like my bugzilla example.

The typical form of a web filter is to analyse the page, looking for an expression, which is replaced in the page sent to the browser.

This is an example of a web bug filter, by hpguru:
Code: [Select]
Name = "Block Web Bugs - hp2"
Active = TRUE
Bounds = "<img *>"
Limit = 512
Match = "*src=\w*"
        "& (*(height=("|)[#1-4])\1)"
        "& (*(width=("|)[#1-4])\2)"
Replace = "<img src="http://Local.ptron/wbani.gif" \1 \2 alt="Web Bug">"

Some are far more complex.  So, in the case of Proxomitron, analysis is taking place.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: AV in your Browser
« Reply #21 on: August 06, 2005, 02:52:34 PM »
If this is the state of the art, let's wait for Alwil official word... It won't be bad if we can scan SSL connections and HTTS through avast!  8)
The best things in life are free.

inconnu

  • Guest
Re: AV in your Browser
« Reply #22 on: August 06, 2005, 03:18:08 PM »
Yes, I think it would be a good feature.  :)

There are a few forums that have good information about the Proxomitron:  Kye-U's Unofficial Proxomitron Forum,  and Castlecops, to name two.

The Proxomitron is no longer under active development, but there is at least one replacement, Proximodo, being worked on.

Filters, however, are being very actively developed and shared by a number of people.

Thrash

  • Guest
Re: AV in your Browser
« Reply #23 on: August 06, 2005, 05:09:32 PM »
That´s was also where I´m thinking for and that avast can´t scan the webstream itself is right, too ... otherwise it would be a security risc, but I thought avast can scan it, because the ssl stream ends on my computer (not elswhere in the net) and so here it is still decrypted.
But than avast (I think) have to be a art of plugin in the webbrowser to scan it, after the browser decryted it and before it load it ... right? And thats a little bit difficult I think!?
I think (maybe I'm wrong) that will be impossible.

Web > Web Shield > Browser > Standard Shield
All data is first checked and then passed to the browser, and if the data is cached it can be also checked by Standard Shield.

I think you´re right!

It makes sense to first check the data stream from the web and than(!) give it to the browser. Otherwise the browser save the data (latest step for avast to check the data, but this is what webshield (I think) don´t want, it will be scan all before it is saved)) ... and if the data will be scanned after the browser has saved it (and maybe let standard shield don´t find a virus for example in a .js file) than the browser will use it and infect the system ... or something like that. ;)

That was a bad and fast idea of me. ;)


Than i will be quite!
Sorry, it was not my intention to be rude.

Ouh ... sorry it was a joke. ;)
I wasn´t angry or something like that.
« Last Edit: August 06, 2005, 05:12:50 PM by Thrash »