URLs are blocked even with 'Block malware URLs' disabled?

[Rundvleeskroket]

If you mean the "Block malware URLs" checkbox, I will report that is doesn't include URL:Mal2 detection

Thank you.

Webshield scans everything that comes from the net.

That makes the name Webshield factually incorrect

For the sceper url www or no makes no difference. Both work if typed in the browser. However, the page selector on the bottom of the site always leads to pages without www. Excluding the sceper domain, with or without www will indeed exclude it, but that is not what I want. It now also excludes the domain from the script scanning and other parts of Web Shield. That is an unnecessarily broad method of exclusion, imo. I really think it would be nice to have a way to exclude a specific URL from URL blocking, and keep the URL blocking feature itself enabled for all other URLs

[HonzaZ]

Webshield scans everything that comes from the net.

That makes the name Webshield factually incorrect

Perhaps NetShield was not as catchy

Excluding the sceper domain, with or without www will indeed exclude it, but that is not what I want. It now also excludes the domain from the script scanning and other parts of Web Shield. That is an unnecessarily broad method of exclusion, imo. I really think it would be nice to have a way to exclude a specific URL from URL blocking, and keep the URL blocking feature itself enabled for all other URLs

But then we would have people who excluded their favourite site and are confused why there is a popup telling them an infection was blocked. Didn't they just add it to exclusions?

And then, we have the following case: Assume we have a domain (blockeddomain.com). On that site there is an iframe with advertisement/game/stream: <iframe src="blockeddomain.com/iframe.html">

When you load this in your browser, this is what happens:
* blockeddomain.com is checked against the blacklist
* blockeddomain.com is resolved and the IP is checked against the blacklist
* when a 201 reply arrives, the response (source code) is scanned

These three steps are repeated for each resource, in this case we have 2 resources: blockeddomain.com and blockeddomain.com/iframe.html. You have put blockeddomain.com to exclusions, so a popup will not be triggered in the first step. But the source code contains an iframe to a blocked URL, therefore a HTML:Iframe-inf detection would pop up while scanning the source code.

You might say: "Iframes are not that common, who cares!", but this works the same way with JS as well. How do we solve this issue? Without "disabling webshield" on this whole domain, Avast would still keep popping up.

To sum it up: Domain blocking and content scanning is more closely related than one might think, and for me it makes sense for the users to be able to turn off both, but not to be able to turn off only one or the other. If it depended on me, I would get rid of the "Block malware URLs" checkbox altogether.

I hope I explained it a little, of course feel free to keep the discussion going, we might think of an improvement to the next version !

[Rundvleeskroket]

I don't mind the popups. And the blocking of the actually malicious parts of a site. Either on the domain or loaded from 3rd parties. But that still does not mean a URL should be blocked entirely if the URL blocking checkbox is left unchecked. This needs to be cleared up. I might not agree on how it will implement a blockade, but at least the description should match the behaviour.

I also think that when an iframe or script wants to load a malicious external site, that is the specific part that should be blocked (and generate a popup with the correct warning). Not the site that hosts the iframe or similar. So the result would be that the site is loaded but without the harmful elements. It might not function properly, but that is fine. The popup would clue you in that something was amiss, and what you get to see is the portion of the site that could be displayed safely.

[Eddy]

Blocking only the malicious parts on a site is like censoring a book.
I say show everything or nothing at all, like it is now.

Especially when a warning is shown while parts of the website can be viewed without a problem will confuse the users.

[Rundvleeskroket]

That analogy makes no sense. Do you hold the same view with regard to ad blockers or script/cookie/tracking blockers? Otherwise, you are being quite the hypocrite. Ad networks are a prime source of malicious 3rd party code.

[Eddy]

Block the entire site that is using a malicious ad(network)

[HonzaZ]

But that still does not mean a URL should be blocked entirely if the URL blocking checkbox is left unchecked. This needs to be cleared up.

I agree, and that is why I filled in a bug report

I also think that when an iframe or script wants to load a malicious external site, that is the specific part that should be blocked (and generate a popup with the correct warning). Not the site that hosts the iframe or similar. So the result would be that the site is loaded but without the harmful elements. It might not function properly, but that is fine. The popup would clue you in that something was amiss, and what you get to see is the portion of the site that could be displayed safely.

This is not implementable (is that a word ?)
When we see a malicious code, we must block the whole file that this is in - this is how AV works. We might detect a couple of bytes in an .exe file, and block it all, the very same way we might detect a couple of characters in a HTML page to block it all. Because what if there is another piece of malicious code that we do not detect? The safest option is to block the whole file. The detections we create would have to be MUCH more complicated if we wanted the rest of the site load safely. That would just not be viable.

[Rundvleeskroket]

The safest option is to not go online at all. But that is also not viable in today's world. So we need granularity in our online access. A way to properly choose what elements are shown and which aren't. And for the sake of practicality it needs to be automated. That is what a Web Shield is for, imho.

[Pondus]

Blocking only the malicious parts on a site is like censoring a book.
I say show everything or nothing at all, like it is now.

Especially when a warning is shown while parts of the website can be viewed without a problem will confuse the users.

This is what Malwarebytes does  >>  https://blog.malwarebytes.com/malwarebytes-news/2013/05/oh-the-sites-you-will-never-see/

[Rundvleeskroket]

Especially when a warning is shown while parts of the website can be viewed without a problem will confuse the users.

Not if this is an advanced option for advanced users. Keep the default wholesale blocking, but give more experienced users more control I say.

This is what Malwarebytes does  >>  https://blog.malwarebytes.com/malwarebytes-news/2013/05/oh-the-sites-you-will-never-see/

This approach is much more sensible imo

[HonzaZ]

But that is not possible, because even advanced users do not fully understand what which detection means and what danger it poses.
I say, block everything or nothing. If the detection is correct, it will be brought to the owner much faster (than if everyone just excludes it) and therefore will be healed much faster. If it is a false positive, it will be fixed much faster (because the users actually want us to fix it).
Creating advanced options would be very time consuming and prone to bugs (and bug here could mean an infected user!)

[bob3160]

Especially when a warning is shown while parts of the website can be viewed without a problem will confuse the users.

Not if this is an advanced option for advanced users. Keep the default wholesale blocking, but give more experienced users more control I say.

This is what Malwarebytes does  >>  https://blog.malwarebytes.com/malwarebytes-news/2013/05/oh-the-sites-you-will-never-see/

This approach is much more sensible imo

Totally disagree. Block it. As far as I'm concerned, no site is that important that you can't report what you think is a false positive and wait
for a correction if you happen to be right.

[Rundvleeskroket]

I don't think you should force everybody to the same lowest common denominator of protection granularity. The all or nothing approach. A a default, yes fine, but not as the only option. By forcing this, you also force people to disable more of their AV than necessary, to enable the access they feel they must have. So as an AV supplier you then choose to expose them to more harm (by their own doing) because they will eventually opt for an all or nothing approach themselves, and disable their AV altogether. Because they were not provided the option to selectively waive certain precautions.

[Rundvleeskroket]

Totally disagree. Block it. As far as I'm concerned, no site is that important that you can't report what you think is a false positive and wait
for a correction if you happen to be right.

It is NOT a false positive. In the case of for example an ad network serving malicious ads, that ad network can be blocked without blocking every site that would otherwise show ads from that network. This is what ad blockers do. You would not be OK with ad blocking software that completely blocks every site with an ad. i.e. pretty much everything, these days. An ad blocker is more selective. The code is stripped, and the rest of the site is shown. Script blockers do the same but with other code. And yes, sometimes that breaks part of the site. That is why it should be an advanced option only. But an option nonetheless. Imo.

[bob3160]

You're reading something into my reply that wasn't stated.
Bock it. If the user doesn't agree, report it and wait for a correction from Avast if the users assumption was correct.