Author Topic: Benefits of web shield (https scanning)?  (Read 1393 times)

0 Members and 1 Guest are viewing this topic.

Offline RichardEb

  • Jr. Member
  • **
  • Posts: 40
Benefits of web shield (https scanning)?
« on: November 08, 2017, 02:53:08 PM »
Hi,

what are the benefits of the avast web shield (https scanning)? When I disable the web shield an infected file can be downloaded....ok. But before the file is executed avast scans the file anyway. So there is the benefit of https interception?

Thank you

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 44082
  • 60 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Benefits of web shield (https scanning)?
« Reply #1 on: November 08, 2017, 03:42:32 PM »
There are also infected websites, scripts etc.
80% of all infections come via the internet.
Webshield is your most important protection if you do anything on the internet.
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1909 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.7.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83751
  • No support PMs thanks
Re: Benefits of web shield (https scanning)?
« Reply #2 on: November 08, 2017, 03:46:36 PM »
Not all files are scanned by the file system shield by default, that are scanned by the web shield.

By disabling https nothing is scanned by the web shield, so you are relying on whatever the file content is being in the default setting of the file system shield.

By disabling https the web shield won't detect URL:MAL if there is a malicious url or redirect in that https page.

The real question is, what are you hoping to gain by disabling https scanning ?
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline RichardEb

  • Jr. Member
  • **
  • Posts: 40
Re: Benefits of web shield (https scanning)?
« Reply #3 on: November 08, 2017, 06:17:17 PM »
I still don't know what the web shield should achieve.

I can think only about two infection ways:

1.)by executing a downloaded "bad" file by myself. The file system shield will protect me in this case

2.)If the Website(html, Javascript,...) uses a vulnerability in my Browser to attack me. But in this case avast can't protect me. If avast knows about the attack vector the browser vendor has also fixed the issue. If the vendor doesn't know about it avast won't also.

3.) did I'missed an attack vector?
« Last Edit: November 08, 2017, 06:19:33 PM by RichardEb »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66723
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Benefits of web shield (https scanning)?
« Reply #4 on: November 09, 2017, 05:04:07 AM »
Win 8.1 [x64] - Avast PremSec 20.8.2427.B#2 [UI.560] - CC 5.71 - EEK - FF ESR 68.12 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11761
    • AVAST Software
Re: Benefits of web shield (https scanning)?
« Reply #5 on: November 09, 2017, 09:05:24 AM »
2.)If the Website(html, Javascript,...) uses a vulnerability in my Browser to attack me. But in this case avast can't protect me. If avast knows about the attack vector the browser vendor has also fixed the issue. If the vendor doesn't know about it avast won't also.

I don't think this is how it works - even if we assume that you update your browser and all related 3rd party "plugins" as soon as an update is released.
While the virus definitions can target a specific code exploiting a particular vulnerability, the detections are often more "simple" - e.g. they can detect the subsequent downloading phase (either the downloader script, or just the sites known to distribute malware). While this may non be the ultimate protection against the vulnerability (say against a targeted attack), it can be quite efficient - we see ongoing campaigns on our user base and we can just block the specific sites/scripts (and since this doesn't require a full dissecting of the specific vulnerability, it can be done faster than the vendor fixes the issue - if there's a 0-day phase during which the malware already spreads).

Furthermore, you shouldn't assume that the File Shield blocks every known malware... now of course we try our best, but nothing is perfect in reality, right :)
So it can happen that the File Shield misses a specific sample - yet it gets (or would get) blocked by the Web Shield during download - because it's downloaded from a known malware distribution site. So the layered approach brings some value.

Offline John712

  • Jr. Member
  • **
  • Posts: 68
Re: Benefits of web shield (https scanning)?
« Reply #6 on: November 09, 2017, 10:51:09 AM »
"So it can happen that the File Shield misses a specific sample - yet it gets (or would get) blocked by the Web Shield during download - because it's downloaded from a known malware distribution site"

If the site is on the list of "known malware distribution" , seems to be logical that Avast! knows which malware is being distributed. (other wise why put the site on the list????)
So, if the malware is known, should be detected by the file shield.

At least this seems to be a logical chain of events....

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36755
Re: Benefits of web shield (https scanning)?
« Reply #7 on: November 09, 2017, 10:56:36 AM »
Quote
If the site is on the list of "known malware distribution" , seems to be logical that Avast! knows which malware is being distributed. (other wise why put the site on the list????)
So, if the malware is known, should be detected by the file shield.

At least this seems to be a logical chain of events....
Today they may distribute a known malware tomorrow they may distribute a complete new not known yet .... also when loaction URL/IP is blocked by many or taken down they start up at new not blocked location and the arms race continue

https://www.zscaler.com/blogs/research/top-exploit-kit-activity-roundup-spring-2017


« Last Edit: November 09, 2017, 11:37:17 AM by Pondus »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11761
    • AVAST Software
Re: Benefits of web shield (https scanning)?
« Reply #8 on: November 09, 2017, 01:43:01 PM »
If the site is on the list of "known malware distribution" , seems to be logical that Avast! knows which malware is being distributed. (other wise why put the site on the list????)
So, if the malware is known, should be detected by the file shield.

First, if a site distributes a thousand different (and I mean really different) pieces of malware - do you really want your antivirus to get thousand different definitions (which - in the long term - grows the size of the product on disk, in memory, and possibly slows down the scanning), or rather get one detection which blocks the site - i.e. everything, past and future?

Second (and more importantly), whoever downloads a file from that site, may simply get different content (either based on country, browser, etc. - or simply a unique generated file for each touch). So there's no way we can reliably get all the samples it serves...
« Last Edit: November 09, 2017, 01:48:31 PM by igor »