Interception of web content by AV software (was Re: VML Patch forWin9x?)

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You are confusing the simple detection of that exploit when
encountered in, say, a cached file, vs the REAL TIME detection of the
exploit code as it comes off the internet and into the browser.

No I am not. NOD32 intercepts web content as it is being downloaded from a
server and before it is sent to the client. Either it replaces the content
with a custom warning or terminates the connection and opens a warning window.

After asking a question, it's rude to then accuse a replyee of not knowing
what they are talking about before finding facts to back up your rebuke. It
also makes you look rather silly.

I contend that you are not understanding the question.

That's nice.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIMjR7uRVdtPsXDkRAlCHAJ9XNgvbiqG5i6BC96eVdF2wDm0z/QCggjl9
90uhUZ/YJwVlJBieuM2utDM=
=Fu4v
-----END PGP SIGNATURE-----

 

[98 Guy]

No I am not. NOD32 intercepts web content as it is being
downloaded from a server and before it is sent to the client.

According to Dave Lipman, there is no AV software that sits in a
position to intercept network traffic and prevent the browser from
seeing malware. Have you been reading Dave's posts on this?

Somebody needs to explain something here...

 

[98 Guy]

No I am not. NOD32 intercepts web content as it is being
downloaded from a server and before it is sent to the client.

According to Dave Lipman, there is no AV software that sits in a
position to intercept network traffic and prevent the browser from
seeing malware. Have you been reading Dave's posts on this?

Somebody needs to explain something here...

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Dave Lipman, there is no AV software that sits in a
position to intercept network traffic and prevent the browser from
seeing malware. Have you been reading Dave's posts on this?

I have seen his posts. Did you see my posts where I stated specifically
that NOD32 does prevent a browser from downloading malicious content?

Somebody needs to explain something here...

http://www.proactiveservices.co.uk/research/nod32_imon1.png
....and then...
http://www.proactiveservices.co.uk/research/nod32_imon2.png

How's that!

Any anti-virus that cannot protect an Internet program from downloading
malicious content should really look at the changing landscape of malware
infection. Malware doesn't just arrive by email any more.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIR7F7uRVdtPsXDkRAlCiAJ9GkFiKn71OV/03Jdsiy9b4pkndgACgj/Fo
d2cipnI+qk8Z5kG3My1wves=
=jRhf
-----END PGP SIGNATURE-----

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Dave Lipman, there is no AV software that sits in a
position to intercept network traffic and prevent the browser from
seeing malware. Have you been reading Dave's posts on this?

I have seen his posts. Did you see my posts where I stated specifically
that NOD32 does prevent a browser from downloading malicious content?

Somebody needs to explain something here...

http://www.proactiveservices.co.uk/research/nod32_imon1.png
....and then...
http://www.proactiveservices.co.uk/research/nod32_imon2.png

How's that!

Any anti-virus that cannot protect an Internet program from downloading
malicious content should really look at the changing landscape of malware
infection. Malware doesn't just arrive by email any more.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIR7F7uRVdtPsXDkRAlCiAJ9GkFiKn71OV/03Jdsiy9b4pkndgACgj/Fo
d2cipnI+qk8Z5kG3My1wves=
=jRhf
-----END PGP SIGNATURE-----

 

[James Egan]

No anti virus can intercept all communication between the PC and the Internet.

Isn't that exactly what a layered service provider does?


Jim.

 

[James Egan]

No anti virus can intercept all communication between the PC and the Internet.

Isn't that exactly what a layered service provider does?


Jim.

 

[David H. Lipman]

From: "James Egan" <[email protected]>

| On Sun, 01 Oct 2006 16:25:53 GMT, "David H. Lipman"
|
| Isn't that exactly what a layered service provider does?
|
| Jim.

No. That acts between the protocol stack and the Windows Sockets (WINSOCK).

 

[David H. Lipman]

From: "James Egan" <[email protected]>

| On Sun, 01 Oct 2006 16:25:53 GMT, "David H. Lipman"
|
| Isn't that exactly what a layered service provider does?
|
| Jim.

No. That acts between the protocol stack and the Windows Sockets (WINSOCK).

 

[David H. Lipman]

From: "Adam Piggott" <[email protected]>


|
| http://www.proactiveservices.co.uk/research/nod32_imon1.png
| ...and then...
| http://www.proactiveservices.co.uk/research/nod32_imon2.png
|
| How's that!
|
| Any anti-virus that cannot protect an Internet program from downloading
| malicious content should really look at the changing landscape of malware
| infection. Malware doesn't just arrive by email any more.


I don't see how the NOD32 warning message is any different from the McAfee Enterprise log
event..

10/2/2006 10:53:48 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\P2IV2015\testvml[1].htm Exploit-VMLFill (ED)


The other graphic shows that the web page was not accessed. In this case, the URL does show
thye content but, on truly malicious Exoploit pages I have seen McAfee block access to the
malicious web page.

The question is does NOD32 TRULY intercept the web page at the Internet level or acting any
differently than other AV software.

 

[David H. Lipman]

From: "Adam Piggott" <[email protected]>


|
| http://www.proactiveservices.co.uk/research/nod32_imon1.png
| ...and then...
| http://www.proactiveservices.co.uk/research/nod32_imon2.png
|
| How's that!
|
| Any anti-virus that cannot protect an Internet program from downloading
| malicious content should really look at the changing landscape of malware
| infection. Malware doesn't just arrive by email any more.


I don't see how the NOD32 warning message is any different from the McAfee Enterprise log
event..

10/2/2006 10:53:48 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\P2IV2015\testvml[1].htm Exploit-VMLFill (ED)


The other graphic shows that the web page was not accessed. In this case, the URL does show
thye content but, on truly malicious Exoploit pages I have seen McAfee block access to the
malicious web page.

The question is does NOD32 TRULY intercept the web page at the Internet level or acting any
differently than other AV software.

 

[James Egan]

From: "James Egan" <[email protected]>

| On Sun, 01 Oct 2006 16:25:53 GMT, "David H. Lipman"

|
| Isn't that exactly what a layered service provider does?
|
| Jim.

No. That acts between the protocol stack and the Windows Sockets (WINSOCK).

It might act there but it still "intercept(s) all communication
between the PC and the Internet."


Jim.

 

[James Egan]

From: "James Egan" <[email protected]>

| On Sun, 01 Oct 2006 16:25:53 GMT, "David H. Lipman"

|
| Isn't that exactly what a layered service provider does?
|
| Jim.

No. That acts between the protocol stack and the Windows Sockets (WINSOCK).

It might act there but it still "intercept(s) all communication
between the PC and the Internet."


Jim.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: "Adam Piggott" <[email protected]>


|
| http://www.proactiveservices.co.uk/research/nod32_imon1.png
| ...and then...
| http://www.proactiveservices.co.uk/research/nod32_imon2.png
|
| How's that!
|
| Any anti-virus that cannot protect an Internet program from downloading
| malicious content should really look at the changing landscape of malware
| infection. Malware doesn't just arrive by email any more.


I don't see how the NOD32 warning message is any different from the McAfee Enterprise log
event..

10/2/2006 10:53:48 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\P2IV2015\testvml[1].htm Exploit-VMLFill (ED)

That's caught the cache file. One would presume that if the browser has got
as far as caching a malicious page it may well have rendered it and the
malicious content executed.

The difference is that Firefox (in this case) never saw any malicious content.

The other graphic shows that the web page was not accessed. In this case, the URL does show
thye content but, on truly malicious Exoploit pages I have seen McAfee block access to the
malicious web page.

That was a malicious exploit page. The URL is only shown because I typed it
in and pressed Go
There is no content in the URL, it is as it is.

The question is does NOD32 TRULY intercept the web page at the Internet level or acting any
differently than other AV software.

Surely the fact that Firefox rendered nothing proves this? I have watched
NOD32 eat exploit code before. There's no question about it: NOD32 is
capable of blocking malicious web site content before it can execute or be
rendered.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIS8g7uRVdtPsXDkRAjjrAJ4rG+hSu0lbTpQywcftNF09mU4mHgCePhoY
U1me2F7CT+wumAVi0oscEio=
=A7Yu
-----END PGP SIGNATURE-----

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: "Adam Piggott" <[email protected]>


|
| http://www.proactiveservices.co.uk/research/nod32_imon1.png
| ...and then...
| http://www.proactiveservices.co.uk/research/nod32_imon2.png
|
| How's that!
|
| Any anti-virus that cannot protect an Internet program from downloading
| malicious content should really look at the changing landscape of malware
| infection. Malware doesn't just arrive by email any more.


I don't see how the NOD32 warning message is any different from the McAfee Enterprise log
event..

10/2/2006 10:53:48 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\P2IV2015\testvml[1].htm Exploit-VMLFill (ED)

That's caught the cache file. One would presume that if the browser has got
as far as caching a malicious page it may well have rendered it and the
malicious content executed.

The difference is that Firefox (in this case) never saw any malicious content.

The other graphic shows that the web page was not accessed. In this case, the URL does show
thye content but, on truly malicious Exoploit pages I have seen McAfee block access to the
malicious web page.

That was a malicious exploit page. The URL is only shown because I typed it
in and pressed Go
There is no content in the URL, it is as it is.

The question is does NOD32 TRULY intercept the web page at the Internet level or acting any
differently than other AV software.

Surely the fact that Firefox rendered nothing proves this? I have watched
NOD32 eat exploit code before. There's no question about it: NOD32 is
capable of blocking malicious web site content before it can execute or be
rendered.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIS8g7uRVdtPsXDkRAjjrAJ4rG+hSu0lbTpQywcftNF09mU4mHgCePhoY
U1me2F7CT+wumAVi0oscEio=
=A7Yu
-----END PGP SIGNATURE-----

 

[David H. Lipman]

|
| It might act there but it still "intercept(s) all communication
| between the PC and the Internet."
|
| Jim.

What AV software do you know uses a LSP Plug-In James ?

 

[David H. Lipman]

|
| It might act there but it still "intercept(s) all communication
| between the PC and the Internet."
|
| Jim.

What AV software do you know uses a LSP Plug-In James ?

 

[James Egan]

What AV software do you know uses a LSP Plug-In James ?

From past threads in acv/acav, AVG email checking does. Don't know
about any others.


Jim.

 

[James Egan]

What AV software do you know uses a LSP Plug-In James ?

From past threads in acv/acav, AVG email checking does. Don't know
about any others.


Jim.

 

[David H. Lipman]

From: "Adam Piggott" <[email protected]>


|
| That's caught the cache file. One would presume that if the browser has got
| as far as caching a malicious page it may well have rendered it and the
| malicious content executed.


I thinks that's a faux presumsion. I have been to many pages with Exploit code with similar
logged events. Never an infection.

10/6/2004 6:18:36 PM Deleted (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\FZ4HCZOS\css_menu[1].html\CSS_MENU[1] Exploit-CodeBase.gen


1/6/2005 5:54:27 PM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\FZ4HCZOS\mendel.home.comcast[1].htm Exploit-HelpZonePass


11/10/2005 9:17:50 PM Deleted DLIPMAN-1\lipman C:\Program
Files\Opera\profile\cache4\opr000FY.htm Exploit-MhtRedir.gen


11/10/2005 10:50:45 PM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\FZ4HCZOS\sploit[1].anr Exploit-ANIfile


12/17/2005 1:04:45 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\index[1].php\INDEX[1] JS/Exploit-HelpXSite


12/30/2005 9:20:46 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\Z0WFDAGD\wbk43F1.tmp Exploit-MIME.gen.c



|
| The difference is that Firefox (in this case) never saw any malicious content.
||
| That was a malicious exploit page. The URL is only shown because I typed it
| in and pressed Go
| There is no content in the URL, it is as it is.
||
| Surely the fact that Firefox rendered nothing proves this? I have watched
| NOD32 eat exploit code before. There's no question about it: NOD32 is
| capable of blocking malicious web site content before it can execute or be
| rendered.

And that's the way of all AV software (well the way they are supposed to work).