New in 2018.12: Safe web-browsing with Emsisoft Browser Security

show-Zi

Level 36
Thread author
Verified
Top Poster
Well-known
Jan 28, 2018
2,463
“A browser extension that blocks bad websites without compromising your privacy?”
What sounds like an attempt to square the circle, actually can be done. Almost all browser extensions that aim to block harmful websites send each visited website to cloud servers that match the exact URL/address with a large database of known bad sites. That comes with the advantage of being able to filter sites very thoroughly on the URL level (different from DNS- or host-based filtering such as available in Emsisoft’s Surf Protection feature), but the big downside of that approach is that the creators of such extensions can basically see all the websites you’re visiting and track you throughout all your online activities.
Our development team proves that things can be done in a better, more privacy-conscious way. Emsisoft Browser Security is a brand new extension, currently available for Chrome and Firefox, that not only blocks access to websites that distribute malware, but also prevents phishing attacks that try to steal your passwords.
How it works:
Instead of sending each full website URL to a cloud server for matching, it only sends a calculated hash value of the domain name of each newly visited site to our servers once and then receives a list of matching patterns that are applied locally on your computer. Those patterns are then kept for successive visits of pages on the same host/domain, which not only speeds up the matching significantly, but also means that Emsisoft doesn’t know any of the details of your browsing activity.

Emsisoft Browser Security for Chrome blocked a malware site.

Emsisoft Browser Security for Chrome toolbar popup.
Installation of Emsisoft Browser Security
Emsisoft Browser Security works independently of Emsisoft Anti-Malware and can be obtained free of charge from the extension stores:
Get Emsisoft Browser Security for Chrome
Get Emsisoft Browser Security for Firefox
We’re working on making the extension available for Edge users too.
Emsisoft Anti-Malware asks you to install the extension if it’s missing.
All 2018.12 improvements in a nutshell
Emsisoft Anti-Malware
  • New Emsisoft Browser Security extension.
  • Improved stability and compatibility.
  • Improved vulnerability resilience.
  • Improved product activation.
  • Several minor tweaks and fixes.
How to obtain the new version
As always, so long as you have auto-updates enabled in the software, you will receive the latest version automatically during your regularly scheduled updates, which are hourly by default. New users, please download the full installer from our product pages.
Note to Enterprise users: If you have chosen to receive “Delayed” updates in the Update settings for your clients, they will receive the new software version no earlier than 30 days after the regular “Stable” availability. This gives you time to perform internal compatibility tests before a new version gets rolled out to your clients automatically.
Have a great and well-protected day!
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
When using the extension together with Emsisoft Anti-Malware it almost never blocks anything. Anti-Malware almost all the time blocks first.
So not really convinced of its value when using Anti-Malware. :unsure:
 

Fabian Wosar

From Emsisoft
Verified
Developer
Well-known
Jun 29, 2014
260
When using the extension together with Emsisoft Anti-Malware it almost never blocks anything. Anti-Malware almost all the time blocks first.
So not really convinced of its value when using Anti-Malware. :unsure:
That is due to the way both of those components are implemented. Essentially the Surf Protection at the moment watches outgoing traffic. Such traffic is checked against an IP blacklist. We also look at the actual data to figure out whether or not it looks like a HTTP request or alternatively like a TLS handshake. In both cases, we extract hostnames from the data as well and check against the hostname blocklist.

The web extension however, injects a tiny bit of JavaScript code into websites your browser displays or websites that are loaded in any kind of frame. The tiny bit of JavaScript code, triggers the extension to check the URL by submitting hashes parts of the URL to the server, which can determine whether any of our blacklist could potentially match the URL you are currently visiting. If it does, then we send back all the potential matches and the extension can check if any of them actually match. If they do, then it redirects to a block page.

Based on that, it should be obvious that the EAM Surf Protection will always be first when it comes to checking whether a site contacted is malicious or not. Only after the browser started downloading the HTML and started displaying it, it will actually consult the extension. So it will always be the second.

Now, where is the benefit of having the extension? The Surf Protection only matches based on hostnames or IPs. But that isn't enough sometimes. Easiest example: Someone puts online a phishing form on Google Docs. To block this with Surf Protection, we would block everything on docs.google.com, which clearly isn't in the intention of our users. However, since the web extension isn't limited to matching just hostnames or IPs, we can add a much more complex rule that takes into account a lot more than just the hostname. For example:

Code:
Found match for 2A51AEB5ECD8F06694B6A47C622EDFD0:
  Type: malicious
  Matches:
    ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+a[\/\\]+iskl\.edu\.my[\/\\]+document[\/\\]+d[\/\\]+1bMCiWm4xirYGAO0iC\-PQ21HfOVOkGYBqigtJiCPIdeI[\/\\]+edit$
    ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+a[\/\\]+iskl\.edu\.my[\/\\]+document[\/\\]+d[\/\\]+1bMCiWm4xirYGAO0iC\-PQ21HfOVOkGYBqigtJiCPIdeI(?:[\/\\]+|$)
    ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+forms[\/\\]+d[\/\\]+e[\/\\]+1FAIpQLSccu3A6samqkuBxcQ5Su5qR2ivpvc5xKdhUCO2ZeRR1T_J9PA
    ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+forms[\/\\]+d[\/\\]+e[\/\\]+1FAIpQLSfvnNbblsbvuI_8D5384NCSSwE0OFV98Nxn_kKy3alYeUOs_g[\/\\]+viewform\?usp\=pp_url$

This is the decoded data that the extension gets back from the server when you visit docs.google.com. The extension can take this information, in this particular case regular expressions to match against the entire URL, and determine if it matches the website being displayed/visited. And only if that website matches, we block it. However, you can go to any of the other documents hosted at Google Docs without us interfering.

So that's the real power that the web extension has over the Surf Protection. For malware it's less interesting, and the very first versions that were online, didn't even have the malware block list in the cloud backend, but only phishing related entries, but since the very first thing people did was go to VX Vault and download malware samples, we decided to include all the surf protection data in the cloud and also to make the extension watch downloads. :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top