I know; I was comparing extension by extension, not extension by antivirus.
If the site contains malware, should frontline page be blocked
- Thread starter Moonhorse
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Status
Yes, it is better to block the website first, rather waiting for the file to land on local drive.
To compare the extensions, firstly you need to install the extensions and secondly, you need to populate a large number of URLs (ideally over 50-60).
You then have to perform the test absolutely at the same time, because if you keep testing for an hour, you’ve given an unfair advantage to whoever is tested last.
One URL on VirusTotal is not an indicative whether the URL is blocked or not, or how good the company’s web blocking is.
Thanks for the information @SeriousHoax. Done, the URL has been sent. We will wait as indicated below on the McAfee website for 3-5 days. 
@Moonhorse , my posts got lost under a huge number of posts.
Even though McAfee did not block the site, the untested site added confidence of the detection.
The Heuristic Threat Intelligence returned 65 on the URL reputation, which together with the analysis of other engine was way more than what was needed to quarantine the file.
So even though McAfee has not seen the website and doesn’t block it outright, it very aggressively targets all files downloaded from there.
Bitdefender and a few others have happened to see this website. There are millions of malicious websites every day, nobody can obtain and classify all of them.
Other solutions function on similar basis.
In essence, the user’s system is protected.
Even though McAfee did not block the site, the untested site added confidence of the detection.
The Heuristic Threat Intelligence returned 65 on the URL reputation, which together with the analysis of other engine was way more than what was needed to quarantine the file.
So even though McAfee has not seen the website and doesn’t block it outright, it very aggressively targets all files downloaded from there.
Bitdefender and a few others have happened to see this website. There are millions of malicious websites every day, nobody can obtain and classify all of them.
Other solutions function on similar basis.
In essence, the user’s system is protected.
This explains quite alot, very much appreciate it. I was about to go for security extension like malwarebytes browser guard wich blocks the site to have multilayer of protection and was thinking about buying controld, but i guess i rely on mcafee alone after this
also thanks for that link @SeriousHoax
McAfee uses real time analysis to detect Phishing.
This website just contains one malware download.
The malware download was analysed by all engines.
| hti (Heuristic Threat Intelligence) | File Rep: 15, HTI Rep: 15, URL Rep: 65 | ||||
| av (Antivirus) | HTI Rep: 50 | ||||
| neo (ML/AI Engine) | HTI Rep: 50 |
File reputation here is 15.
URL reputation analyses the address where the file comes from.
0 means the website is safe. URL reputation here is 65 (which borders with malicious).
AV uses generic detections to detect malware.
AV returned 50, which means there was a signature matched. That alone was enough to quarantine the file.
Neo emulates the file quickly in memory and uses heuristics to classify the behaviour. Neo returns different results based on how malicious the behaviour looks. Here, it returned 50 (maximum confidence that the behaviour is malicious).
So not one, but multiple engines blocked the file and the untested reputation of the domain was also taken into account.
How did you manage to download the jar file? I tried everything to download the Ikov.jar file, even disabling K, but the browser is blocking it, as you can see in the screenshot below. It has nothing to do with MD or K.
I think I had to click there on the 3 dots and choose “continue” or something.How did you manage to download the jar file? I tried everything to download the Ikov.jar file, even disabling K, but the browser is blocking it, as you can see in the screenshot below. It has nothing to do with MD or K.
Discrepancies with VT and local AV are understandable as there are factors of different configuration/sensitivity level. There is also the factor of delay.
If your local AV detect something suspicious but not yet confirmed to be malicious, it will share that intel to the cloud (KSN for K, SPN for TM, GTI etc etc ). For that time being, it's only tagged in you locally. Once that's tested in the labs, a pattern/signature will be created and will also be tagged back to the whole cloud infrastructure for Global Detection. That's why the VT results are not the full AV detection as some only uses the CLI SDK without the cloud component. The "strength in numbers" is how the cloud works, the more local agents tagged it, the more priority it gets in the labs as it represents a possible Live Attack Pattern. Nobody can miss it as those are shown in the big screens in the threat labs with Red,Green,Yellow warnings indicating severity.
Those are a few factors of the delay in VT detection vs your local AV.
If your local AV detect something suspicious but not yet confirmed to be malicious, it will share that intel to the cloud (KSN for K, SPN for TM, GTI etc etc ). For that time being, it's only tagged in you locally. Once that's tested in the labs, a pattern/signature will be created and will also be tagged back to the whole cloud infrastructure for Global Detection. That's why the VT results are not the full AV detection as some only uses the CLI SDK without the cloud component. The "strength in numbers" is how the cloud works, the more local agents tagged it, the more priority it gets in the labs as it represents a possible Live Attack Pattern. Nobody can miss it as those are shown in the big screens in the threat labs with Red,Green,Yellow warnings indicating severity.
Those are a few factors of the delay in VT detection vs your local AV.
You summed up this well, very understable stuff even its ''tech language'' its very easy to understand what this is about.
I appreciate that you explain how antiviruses work and why one should be using one, instead of people yelling '' mcafee bad kaspersky good''
Some people just tend to bash specific antivirus and raise another, you can constructive talk about one and tell the pros/cons very understandable
respect
That is why AV with large user-base is preferable, compared to those with less users, as it will help detecting threats earlier.
I managed to download it using Chrome, but I had to allow it in Osprey because it was blocking it. Now I ask @Parkinsond, why did you remove the Osprey extension from your browser? No, I think it's redundant, because you only use MD. If you had Osprey Browser Protection, it would have blocked not only the page, but also the .Jar file.
Yes in a sense that large user base means lots of responsibility too as people trust your product more than the others. More files to analyze, more work to do.
This is one of the reasons why Trend Micro(Asus,TPLink,Acer) and Bitdefender(Netgear) strategize to have their Security in the router-gateway. Imagine how much data that they will analyze with those home users even without the local AV installed.
Osprey detection is more than fine using powerful Norton safe web, but it has two drawbacks:
1. Norton has many false positivie detections; better than false negative ones, but annoying.
2. Noticed after selecting to allow blocked website, some of them did not load properly, as in the case when using Norton safe web extension, and some other extensions.
1. This is normal for any product; the more aggressive it is, the greater the chance of false positives.
2. I have never had any problems with Osprey and use it every day. I have it installed and activated on all browsers, and pages load normally. You need to clear the list of allowed sites, even if it is a false positive. If you encounter any problems, you need to report them to @Foulest, if possible with a screenshot, a GIF recording or a video recording so that he can analyse and fix the bug. Just wanted to point that out. You will not find a perfect extension or a perfect antivirus. Today Osprey blocked this page and also this .jar file, and McAfee WebAdvisor did not block it, but tomorrow the opposite may happen as well. Every day, countless pieces of malware appear, and it is impossible to predict which AV product or extension will offer you effective protection, because not all of them have the same engines.
I have not faced problems too, until lately.
I have reported to Foulest on the dedicated thread; it is a very good extension, but might be some bug which needs to be fixed.
I do not know if it is allowed to post data about websites providing pirated movies and tv series on MT or not; I do like to respect the rules.
I have limited e-activity, so the simplest, and the lightest AV is a priority before the top detection rate; common sense can fill any gaps.
Other factors is sometimes vendors (specially for the next gen AVs like DeepInstinct) deploy experimental machine learning models, which are not deployed on the actual products. This was confirmed by DI.
So there are the vice versa cases as well, where files are detected on VirusTotal, but not in the product.
There are also cases where products are way more up to the date and more advanced than VT.
Vendors often use VT as a playground.
Yes, it is a Java app (like an archive). Users without the Java platform installed cannot run this malware.
Java is an object oriented programming language and as such, it revolves around classes. In addition the classes, inside the JAR there is metadata and manifest, resources for the app (audio, video, images), third party libraries imported and potentially static content for web apps.
Oh, it's complicated. I know that paying for Netflix, Amazon Prime Video, Apple TV+, Disney+ and so on is very expensive to have all these streaming services at once. But I think paying for at least one is fair, you can't just watch all the films and series for free on pirate websites. It's the same for AV. If I like an AV product, I buy the licence, no problem. The same goes for streaming subscriptions. I think paying for at least one of them, whether it's a monthly or annual subscription, is more than fair for the catalogue of films and series they offer. I'm not even going to mention the risks of accessing these pirate sites, because you know that already.
- Status
You may also like...
-
Norton 360 for Gamers 1 Year, 3 devices, £4.99- Started by Brownie2019
- Replies: 1
-
Epidemic Proportions of Crypto-Mining Attacks and Their Impact On Businesses- Started by Prorootect
- Replies: 0
-
