Interception of web content by AV software (was Re: VML Patch forWin9x?)

[David H. Lipman]

From: "Adam Piggott" <[email protected]>


|
| That's caught the cache file. One would presume that if the browser has got
| as far as caching a malicious page it may well have rendered it and the
| malicious content executed.


I thinks that's a faux presumsion. I have been to many pages with Exploit code with similar
logged events. Never an infection.

10/6/2004 6:18:36 PM Deleted (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\FZ4HCZOS\css_menu[1].html\CSS_MENU[1] Exploit-CodeBase.gen


1/6/2005 5:54:27 PM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\FZ4HCZOS\mendel.home.comcast[1].htm Exploit-HelpZonePass


11/10/2005 9:17:50 PM Deleted DLIPMAN-1\lipman C:\Program
Files\Opera\profile\cache4\opr000FY.htm Exploit-MhtRedir.gen


11/10/2005 10:50:45 PM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\FZ4HCZOS\sploit[1].anr Exploit-ANIfile


12/17/2005 1:04:45 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\index[1].php\INDEX[1] JS/Exploit-HelpXSite


12/30/2005 9:20:46 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\Z0WFDAGD\wbk43F1.tmp Exploit-MIME.gen.c



|
| The difference is that Firefox (in this case) never saw any malicious content.
||
| That was a malicious exploit page. The URL is only shown because I typed it
| in and pressed Go
| There is no content in the URL, it is as it is.
||
| Surely the fact that Firefox rendered nothing proves this? I have watched
| NOD32 eat exploit code before. There's no question about it: NOD32 is
| capable of blocking malicious web site content before it can execute or be
| rendered.

And that's the way of all AV software (well the way they are supposed to work).

 

[David H. Lipman]

|
| From past threads in acv/acav, AVG email checking does. Don't know
| about any others.
|
| Jim.

Thank You.

 

[David H. Lipman]

|
| From past threads in acv/acav, AVG email checking does. Don't know
| about any others.
|
| Jim.

Thank You.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

|
| It might act there but it still "intercept(s) all communication
| between the PC and the Internet."
|
| Jim.

What AV software do you know uses a LSP Plug-In James ?

NOD32 does.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIVln7uRVdtPsXDkRArjrAJoDbKMqrnrRVxHpEespb9nUgHsZcACfWmub
d+uJ2iUfADlcanDlDo0oOCU=
=Aa5H
-----END PGP SIGNATURE-----

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

|
| It might act there but it still "intercept(s) all communication
| between the PC and the Internet."
|
| Jim.

What AV software do you know uses a LSP Plug-In James ?

NOD32 does.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIVln7uRVdtPsXDkRArjrAJoDbKMqrnrRVxHpEespb9nUgHsZcACfWmub
d+uJ2iUfADlcanDlDo0oOCU=
=Aa5H
-----END PGP SIGNATURE-----

 

[David H. Lipman]

|
| NOD32 does.
|

Thanx Adam.

 

[David H. Lipman]

|
| NOD32 does.
|

Thanx Adam.

 

[98 Guy]

NOD32 does.

If NOD32 has this capability, and if few or no other AV software does,
then wouldn't this make NOD32 the hands-down winner of all of the
various "what's the best AV software?" threads?

(I usually don't follow those threads, hence my question)

Not even Kaspersky does this?

 

[98 Guy]

NOD32 does.

If NOD32 has this capability, and if few or no other AV software does,
then wouldn't this make NOD32 the hands-down winner of all of the
various "what's the best AV software?" threads?

(I usually don't follow those threads, hence my question)

Not even Kaspersky does this?

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If NOD32 has this capability, and if few or no other AV software does,
then wouldn't this make NOD32 the hands-down winner of all of the
various "what's the best AV software?" threads?

(I usually don't follow those threads, hence my question)

Not even Kaspersky does this?

A very wide question

I haven't done a lot of recent testing on other programs, but my two cents
would be that I trust no other anti-virus product on the market to protect
my customers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIlby7uRVdtPsXDkRAg5ZAKCeLErvJ+l44FB8vzK8ZmOBkKCrAwCeL41A
QZadHDUW3AHAP2sKl4L1154=
=jnp/
-----END PGP SIGNATURE-----

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If NOD32 has this capability, and if few or no other AV software does,
then wouldn't this make NOD32 the hands-down winner of all of the
various "what's the best AV software?" threads?

(I usually don't follow those threads, hence my question)

Not even Kaspersky does this?

A very wide question

I haven't done a lot of recent testing on other programs, but my two cents
would be that I trust no other anti-virus product on the market to protect
my customers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIlby7uRVdtPsXDkRAg5ZAKCeLErvJ+l44FB8vzK8ZmOBkKCrAwCeL41A
QZadHDUW3AHAP2sKl4L1154=
=jnp/
-----END PGP SIGNATURE-----

 

[Dan W.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



A very wide question

I haven't done a lot of recent testing on other programs, but my two cents
would be that I trust no other anti-virus product on the market to protect
my customers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIlby7uRVdtPsXDkRAg5ZAKCeLErvJ+l44FB8vzK8ZmOBkKCrAwCeL41A
QZadHDUW3AHAP2sKl4L1154=
=jnp/
-----END PGP SIGNATURE-----

Are you saying that Kaspersky is the only anti-virus program that you
trust? BTW, the nice thing about really learning your PC is then you
start to understand what is really going on and you do not need things
like pop up blockers and even anti virus programs are not usually
needed. Anti-spyware programs are still nice since it is still so easy
to get spyware and other baddies out there. The key questions users
must ask themselves especially on a clean machine is "What did I do to
cause myself to get this pop up or this piece of spyware. For example,
did I browse to an unknown site, did I click on an unknown email
attachment, am I reading all emails in plain text and only enabling the
html of that email when I am fairly sure that it is safe, etc. If the
user is careful then the user can learn lots of stuff and start figuring
out how to manually configure stuff through DOS or the Command Prompt in
XP Professional.
The user can then continue to delve into the registry, always making
sure to have backups and start reading and learning about adding and
deleting keys. The user can also start learning about the BIOS, how to
safely flash it for an upgrade, how to safely configure settings, etc.
I am now at the point where I really enjoy my computer and I take
passion in my job of fixing insecure computers at work as well as
teaching children who I feel help keep me young and it is exciting to
try and pass my values or at least encourage them in the direction of
positive values and know that you are making a small amount of
difference in this chaotic world.

 

[Dan W.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



A very wide question

I haven't done a lot of recent testing on other programs, but my two cents
would be that I trust no other anti-virus product on the market to protect
my customers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIlby7uRVdtPsXDkRAg5ZAKCeLErvJ+l44FB8vzK8ZmOBkKCrAwCeL41A
QZadHDUW3AHAP2sKl4L1154=
=jnp/
-----END PGP SIGNATURE-----

Are you saying that Kaspersky is the only anti-virus program that you
trust? BTW, the nice thing about really learning your PC is then you
start to understand what is really going on and you do not need things
like pop up blockers and even anti virus programs are not usually
needed. Anti-spyware programs are still nice since it is still so easy
to get spyware and other baddies out there. The key questions users
must ask themselves especially on a clean machine is "What did I do to
cause myself to get this pop up or this piece of spyware. For example,
did I browse to an unknown site, did I click on an unknown email
attachment, am I reading all emails in plain text and only enabling the
html of that email when I am fairly sure that it is safe, etc. If the
user is careful then the user can learn lots of stuff and start figuring
out how to manually configure stuff through DOS or the Command Prompt in
XP Professional.
The user can then continue to delve into the registry, always making
sure to have backups and start reading and learning about adding and
deleting keys. The user can also start learning about the BIOS, how to
safely flash it for an upgrade, how to safely configure settings, etc.
I am now at the point where I really enjoy my computer and I take
passion in my job of fixing insecure computers at work as well as
teaching children who I feel help keep me young and it is exciting to
try and pass my values or at least encourage them in the direction of
positive values and know that you are making a small amount of
difference in this chaotic world.

 

[Gary S. Terhune]

I think you misunderstood. I believe Adam is touting NOD32, not Kaspersky.

 

[Gary S. Terhune]

I think you misunderstood. I believe Adam is touting NOD32, not Kaspersky.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think you misunderstood. I believe Adam is touting NOD32, not Kaspersky.

Oops, you're correct, thank you for clearing that up.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFImJq7uRVdtPsXDkRAof/AKCFjlzByF88gZopyfuqU7er4uHnZgCgir0W
5Rn6plhHsr+yJH0XpgLUmMI=
=6vld
-----END PGP SIGNATURE-----

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think you misunderstood. I believe Adam is touting NOD32, not Kaspersky.

Oops, you're correct, thank you for clearing that up.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFImJq7uRVdtPsXDkRAof/AKCFjlzByF88gZopyfuqU7er4uHnZgCgir0W
5Rn6plhHsr+yJH0XpgLUmMI=
=6vld
-----END PGP SIGNATURE-----

 

[Dan W.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Oops, you're correct, thank you for clearing that up.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFImJq7uRVdtPsXDkRAof/AKCFjlzByF88gZopyfuqU7er4uHnZgCgir0W
5Rn6plhHsr+yJH0XpgLUmMI=
=6vld
-----END PGP SIGNATURE-----

Thanks Gary and Adam. BTW, Adam why does your messages include all the
extra stuff?

 

[Dan W.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Oops, you're correct, thank you for clearing that up.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFImJq7uRVdtPsXDkRAof/AKCFjlzByF88gZopyfuqU7er4uHnZgCgir0W
5Rn6plhHsr+yJH0XpgLUmMI=
=6vld
-----END PGP SIGNATURE-----

Thanks Gary and Adam. BTW, Adam why does your messages include all the
extra stuff?

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam Piggott wrote:


Oops, you're correct, thank you for clearing that up.

Thanks Gary and Adam. BTW, Adam why does your messages include all the
extra stuff?

The extra stuff is a digital signature, so that anyone using an
OpenPGP-compliant email program[1] can verify that I was the poster and
that the message hasn't been tampered with since sending.

I do this as I post on behalf of my business and consider it good practise
to do so. And to pre-empt anyone who is tempted, I've discussed why some
consider it pointless or wasteful to do so, and won't do so further

[1]I use Thunderbird with the Enigmail plug-in and GnuPG.


Cheers,

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFImtx7uRVdtPsXDkRAi2iAJ0SVfxoPvrz5Mi05m7Aev9aU6oK3wCglIz+
7G/KYeLX+ctbbn3CHgmUSA4=
=+ht1
-----END PGP SIGNATURE-----