Sponsored Links

Which Anti-Virus progs monitor your internet connection?

Mel

0
I've often noted when opening demo (and real) exploits in my browser that whatever anti-virus program I'm using at the time is completely ineffective because it doesn't detect the exploit until the webpage is cached to disk. (in some cases not until I visit the exploit page a second time, presumably when the cached page is read)


By which time if I were vulnerable the exploit will have already succeeded and will have its payload running in memory, or crashed IE if that's what it is supposed to do.

So my question is: which anti-virus programs scan TCP/IP traffic before the browser 'sees' it.
 
NOD32 here too, works like none other.

Avast is very good at that too, both of these keep scanning active objects in RAM and Objects requirering CPU attention. Worst i have seen is Zone Alarm's AV, they use CA engine and it does not really work well.
 
Sponsored Links
Avast catches viruses/trojans before the web page displays (at least that's what I think it's doing). :confused:
 
Sponsored Links
Here's an example of why I asked

There's an IE test exploit for the (now fixed) microsoft vector markup language vulenrability here http://www.isotf.org/zert/testvml.htm (it is supposed to be harmless, other than crashing IE)

If the IE VML component is installed, when opened in IE on a patched system it will just draw two red filled rectangles (on an unpatched system it is designed to crash IE)

Now my anti-virus program (and probably every other one I've ever used) would not detect the exploit until after the rectangles are displayed or if I was still vulnerable after IE crashed. Following this I get an alert that my A-V has quaranteened a Virus - too late if you ask me as it is just detecting the page being cached to disk, if it was a real exploit it would have already executed its payload.

If you don't see the rectangles in IE, then VML probably isn't installed - If you don't have VML installed this vml demo won't work http://msdn.microsoft.com/library/default.asp?url=/workshop/author/vml/SHAPE/examples/multidemo.asp (a coloured square should be visible below the title)

My guess is most A-V companies consider scaning html too impracticle, but I was curious if any offer it as a feature.
 
Here's an example of why I asked

There's an IE test exploit for the (now fixed) microsoft vector markup language vulenrability here http://www.isotf.org/zert/testvml.htm (it is supposed to be harmless, other than crashing IE)

If the IE VML component is installed, when opened in IE on a patched system it will just draw two red filled rectangles (on an unpatched system it is designed to crash IE)

Now my anti-virus program (and probably every other one I've ever used) would not detect the exploit until after the rectangles are displayed or if I was still vulnerable after IE crashed. Following this I get an alert that my A-V has quaranteened a Virus - too late if you ask me as it is just detecting the page being cached to disk, if it was a real exploit it would have already executed its payload.

If you don't see the rectangles in IE, then VML probably isn't installed - If you don't have VML installed this vml demo won't work http://msdn.microsoft.com/library/default.asp?url=/workshop/author/vml/SHAPE/examples/multidemo.asp (a coloured square should be visible below the title)

My guess is most A-V companies consider scaning html too impracticle, but I was curious if any offer it as a feature.


NOD32 immediately catches this with no problem and displays a big RED "Threat Detected" warning message (without first displaying the page).
 
True Nod 32 would catch it before it opens. Same with any browser not just IE.

You get what you pay for and Nod32 updates regularly.
 
Here's an example of why I asked

There's an IE test exploit for the (now fixed) microsoft vector markup language vulenrability here http://www.isotf.org/zert/testvml.htm (it is supposed to be harmless, other than crashing IE)

If the IE VML component is installed, when opened in IE on a patched system it will just draw two red filled rectangles (on an unpatched system it is designed to crash IE)

Now my anti-virus program (and probably every other one I've ever used) would not detect the exploit until after the rectangles are displayed or if I was still vulnerable after IE crashed. Following this I get an alert that my A-V has quaranteened a Virus - too late if you ask me as it is just detecting the page being cached to disk, if it was a real exploit it would have already executed its payload.

If you don't see the rectangles in IE, then VML probably isn't installed - If you don't have VML installed this vml demo won't work http://msdn.microsoft.com/library/default.asp?url=/workshop/author/vml/SHAPE/examples/multidemo.asp (a coloured square should be visible below the title)

My guess is most A-V companies consider scaning html too impracticle, but I was curious if any offer it as a feature.

Mel i have the perfect way to avoid this happening.

USE FIREFOX AND BOOT MS :D
 
Sponsored Links
Mel i have the perfect way to avoid this happening.

USE FIREFOX AND BOOT MS :D
:laugh:

Unfortunately Firefox has been known to have critical vulnerabilities too.

Sure they are less common, more quickly patched and FF is a much less popular target than Microsoft, but changing browser is not a perfect solution, it is a limitation of the Anti-virus. I only used an old IE exploit as an example because they are much easier to find. ;)
 
Looks like I will have to give NOD32 a try.

My Thanks to Kits and Ex-fast24.
 
Last edited:
I use opera now and only IE for certain websites that need IE have to say since using opera i have had less instances of the problems like you mention but again i have Nod32 working away all the time.
 
I'm increasingly using Opera and or Firefox now even though I've got IE fairly secure, because since installing the last few windows 98 patches IE is no longer that stable even on a clean install (seems to be an issue with one of the final patches and my hardware/drivers).
 
Hi Guys.

Just to let you know that the page containing the exploit was blocked and a virus alert came up when using BitDefender 10. :)
 
Sponsored Links
I get the following when trying to get that page:

VML test case, CVE-2006-4868

This is a test page to determine whether your browser is vulnerable to the VML vulnerability specified in CVE-2006-4868.

Since your browser is not Internet Explorer 5 or higher it does not support the vulnerable VML module, and you are therefor not vulnerable.

If you would like to know more about the Zeroday Emergency Response Team, please visit http://isotf.org/zert/

But I am using Firefox on a Apple Mac
 
Using BitDefender 10 on Default I get the following message


VML test case, CVE-2006-4868
This is a test page to determine whether your browser is vulnerable to the VML vulnerability specified in CVE-2006-4868.

If you can see two colored boxes above and your browser has not crashed at this point, you are not vulnerable.

If you would like to know more about the Zeroday Emergency Response Team, please visit http://isotf.org/zert/

I do see the 2 coloured boxes

The virus alert is also displayed.

Using BitDefender on the Aggressive setting I just get the virus alert and the page is blocked :)

Internet Explorer 7.0.5730.11

Just noticed. Aggressive mode scans web (HTTP) traffic.....Default doesnt.
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6028)
  2. BT (3639)
  3. Politics (2721)
  4. Business (2440)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2146)
  8. FTTC (2083)
  9. Statistics (1902)
  10. 4G (1816)
  11. Virgin Media (1764)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1407)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules